The critical authentication bypass vulnerability CVE-2026-44338 (CVSS 7.3) in the open multi-agent orchestration framework PraisonAI became the target of active scanning in less than four hours after the advisory was published. The vulnerability affects versions from 2.5.6 through 4.6.33 and allows any network client without a token to access protected endpoints of the API server, including enumerating agents and starting workflows. A fix is available in version 4.6.34 — updating is strongly recommended without delay.

Technical essence of the vulnerability

According to the GitHub security advisory, the issue lies in a legacy Flask-based API server located in the file src/praisonai/api_server.py. In this server, the authentication parameters are hard-coded as AUTH_ENABLED = False and AUTH_TOKEN = None. In practice, authentication is disabled by default, and the bypass is unconditional — it does not depend on the operator’s configuration.

When this legacy server is used, any client with network access to the instance can:

• Obtain a list of configured agents via the /agents endpoint without authentication
• Start a workflow described in agents.yaml via the /chat endpoint
• Repeatedly consume model or API provider quota
• Retrieve the results of executing PraisonAI.run()

The actual impact depends directly on which actions are allowed in the agents.yaml configuration of a specific deployment. If agents have access to internal systems, databases, or external APIs with privileged keys, the consequences may be significantly more serious than just the exposure of configuration data. The vulnerability was discovered by security researcher Shmulik Cohen.

Observed scanning activity

According to Sysdig, which recorded the scanning activity, the advisory was published on 11 May 2026 at 13:56 UTC. The first targeted request to the vulnerable endpoint was received at 17:40 UTC the same day — 3 hours and 44 minutes later.

The scanner, identifying itself as CVE-Detector/1.0, operated from IP address 146.190.133[.]49 and performed two passes eight minutes apart. Each pass generated roughly 70 requests over 50 seconds:

• First pass — scanning of common information-disclosure paths: /.env, /admin, /users/sign_in, /eval, /calculate, /Gemfile.lock
• Second pass — targeted scanning of attack surfaces specific to AI agents, including PraisonAI

The key request corresponding to CVE-2026-44338 was GET /agents without an Authorization header and with the User-Agent CVE-Detector/1.0. As Sysdig reports, the server returned 200 OK with a response body containing the agent configuration, confirming a successful authentication bypass.

It is important to note: according to Sysdig, no POST requests to the /chat endpoint were observed. This indicates reconnaissance activity — identifying vulnerable hosts without attempting to start workflows. However, these observations are based on telemetry from a single source and have not been independently confirmed by other researchers or CISA.

Impact assessment

The two-phase scanning profile warrants particular attention. The combination of classic web application reconnaissance paths with targeted scanning of AI infrastructure indicates that adversary tooling is adapting to the AI agent ecosystem. Agent orchestration frameworks such as PraisonAI are often deployed with access to language model API keys, internal services, and sensitive data, which makes them an attractive target.

The highest risk is faced by organizations that:

• Have deployed PraisonAI with the legacy Flask API server exposed to the internet
• Use agents.yaml configurations with privileged API keys or access to internal resources
• Have not updated PraisonAI to version 4.6.34

If exploitation succeeds, an attacker may not only obtain the agent configuration, but also start arbitrary workflows, leading to consumption of API provider quotas, data leaks via agent execution results, or use of the victim’s infrastructure as a pivot for further attacks.

Response recommendations

1. Update immediately to PraisonAI version 4.6.34 or later
2. Audit your deployments: verify whether the legacy Flask API server (api_server.py) is in use and whether it is reachable from external networks
3. Check logs for requests to /agents and /chat without an Authorization header, especially those with the User-Agent CVE-Detector/1.0 or from IP address 146.190.133[.]49
4. Rotate credentials: treat all API keys and tokens specified in agents.yaml as potentially compromised and replace them
5. Review billing with language model providers for signs of abnormal quota consumption
6. Restrict network access to the PraisonAI API server using network segmentation or a firewall

The CVE-2026-44338 case shows that, for AI infrastructure, the window between publication of a security advisory and the start of mass scanning is measured in hours. Any project shipped with authentication disabled by default and reachable over the network will be discovered and probed by automated tools almost immediately. The top priority is to update to version 4.6.34, followed by rotation of all secrets referenced by the agent configuration.