Threat actors have been observed attempting to exploit recently disclosed security vulnerabilities in PraisonAI, an open source multi-agent orchestration framework, within four hours of publication.
The vulnerability in question is CVE-2026-44338 (CVSS score: 7.3), which exposes sensitive endpoints when authentication is missing, allowing an attacker to call protected functions of the API server without a token.
“PraisonAI will ship a legacy Flask API server with authentication disabled by default,” according to an advisory released by maintainers earlier this month. “If that server is used, any caller that can reach that server can access /agents without providing a token and trigger any Agents.yaml workflows configured through /chat.”
Specifically, the traditional Flask-based API server src/praisonai/api_server.py hardcodes AUTH_ENABLED = False and AUTH_TOKEN = None. According to PraisonAI, successful exploitation of this flaw could have a variety of impacts, including:
Unauthenticated enumeration of configured agent files via /agents Unauthenticated triggering of locally configured “agents.yaml” workflows via /chat Repeated consumption of model/API quotas and exposure of PraisonAI.run() results to unauthenticated callers
“The impact therefore depends on what is allowed in the carrier’s agents.yaml, but authentication bypass is unconditional on shipped legacy servers,” PraisonAI said.
This vulnerability affects all versions of the Python package from 2.5.6 to 4.6.33. Patched in version 4.6.34. Security researcher Shmulik Cohen is credited with discovering and reporting the bug.
In a report released this week, Sysdig said it observed attempts to exploit the flaw within hours of it becoming public knowledge.
“Within 3 hours and 44 minutes of the advisory being published, a scanner calling itself CVE-Detector/1.0 was accurately probing vulnerable endpoints on instances exposed to the internet,” the report said. “A recommendation has been issued [on May 11, 2026,] 13:56 UTC. The first targeted request arrived at 17:40 UTC on the same day. ”
According to Sysdig, this activity originated from IP address 146.190.133.[.]49 and followed a packaged scanner profile that ran two passes 8 minutes apart, pushing about 70 requests in about 50 seconds on each pass.
The first pass scanned the common disclosure paths (/.env, /admin, /users/sign_in, /eval, /calculate, /Gemfile.lock), while the second pass specifically identified the AI agent surface containing PrizeAI.
“The probe that directly matched CVE-2026-44338 was a single GET /agents without the Authorization header and User-Agent CVE-Detector/1.0,” Sysdig said. “This request returns a 200 OK with body {“agent_file”:”agents.yaml”,”agents”:.”[…]}, confirm that the bypass was successful. ”
We do not see the scanner sending POST requests to the “/chat” endpoint in either path. This indicates that the activity is consistent with the initial checks to determine if authentication bypass works and to see if the host is exploitable via CVE-2026-44338.
The rapid exploitation of PraisonAI is the latest example of a broader trend in which threat actors are increasingly incorporating newly revealed flaws into their arsenals before they can be patched. We recommend that users apply the latest fixes as soon as possible, audit existing deployments, review model provider claims for suspicious activity, and rotate credentials referenced in ‘agents.yaml’.
“Adversarial tools are expanding beyond household names to the entire AI and agent ecosystem, regardless of scale, and the operating assumption for projects shipping unauthenticated defaults is that the time window between disclosure and active exploitation must be in the single digits,” Sysdig said.
Source link
