PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution
Title source: cnaExploitation Summary
CVE-2026-44338 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including rootdirective-sec, HORKimhab.
AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2026-44338, an authentication bypass vulnerability in PraisonAI's legacy Flask API server. It includes a Docker-based lab with vulnerable and patched versions of the server, along with a PoC script to demonstrate the unauthenticated access to protected routes.
Description
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34.
Exploits (2)
This repository contains a functional proof-of-concept for CVE-2026-44338, an authentication bypass vulnerability in PraisonAI's legacy Flask API server. It includes a Docker-based lab with vulnerable and patched versions of the server, along with a PoC script to demonstrate the unauthenticated access to protected routes.
This repository contains a functional PoC for an authentication bypass vulnerability (CVE-2026-44338) in PraisonAI, leveraging a vulnerable Flask + Flask-CORS configuration. The PoC simulates the vulnerable server environment and demonstrates unauthorized access to endpoints.
References (1)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L