PraisonAI Left the Front Door Open (CVE-2026-44338)

Key Takeaways

• CVE-2026-44338 was published as GHSA-6rmh-7xcm-cpxj on May 11, 2026 at 13:56 UTC.
• PraisonAI's legacy Flask API server had authentication disabled by default.
• Versions 2.5.6 through 4.6.33 are vulnerable; the fix shipped in 4.6.34.
• CVSS rating of 7.3 for missing authentication on sensitive endpoints.
• First scanning attempt landed less than four hours after the advisory was published.

Summary

A missing-authentication flaw in the multi-agent framework PraisonAI left protected API endpoints reachable without a token, and as The Hacker News reported scanners began probing the exact vulnerable path within three hours and 44 minutes of disclosure. The vulnerability affects every release from 2.5.6 through 4.6.33 and was patched in 4.6.34.

What We Know

The advisory GHSA-6rmh-7xcm-cpxj was published to the GitHub security advisory database on May 11, 2026 at 13:56 UTC and assigned CVE-2026-44338 with a CVSS score of 7.3. PraisonAI is an open-source multi-agent framework used to orchestrate autonomous AI agents across enterprise tasks, similar in role to CrewAI and AutoGen.

The flaw resides in the legacy Flask API server bundled with the project, where authentication was disabled by default in affected versions. As CSO Online reported, any internet-exposed instance let an unauthenticated caller invoke protected endpoints simply by sending a request.

Telemetry confirmed by SecurityWeek shows the first targeted probe identifying itself as CVE-Detector/1.0 landed at 17:40 UTC the same day the advisory dropped. The patch in PraisonAI 4.6.34 restores authentication on the affected endpoints.

What Happened

PraisonAI shipped a legacy Flask API server with authentication disabled in the default configuration. Operators who exposed the framework to a network without adding a reverse proxy or external auth gateway inherited that default and effectively published the agent control plane to the internet.

Once the advisory was published, attackers immediately had a precise endpoint to scan for and a clear behavioral fingerprint. The pattern matches a now-routine class of AI framework failures where convenience defaults around authentication collide with rapid adoption.

The AI-specific failure is that PraisonAI's API server is not just a control panel; it is the control plane for autonomous agents that can call tools, spend money, and act on systems. Missing authentication on that plane is the agent equivalent of an unauthenticated SSH daemon on a production host.

Why It Matters

Multi-agent frameworks are increasingly deployed inside enterprise environments to handle customer support automation, software engineering tasks, and internal analytics. An exposed PraisonAI instance gives an attacker a turnkey way to redirect agent behavior, exfiltrate task data, and run unauthorized tool calls under the operator's identity.

Affected data includes anything the deployed agents have access to, which in real-world deployments tends to include CRM data, ticketing systems, internal wikis, and cloud APIs. The financial and reputational impact for any organization caught with a vulnerable instance scales with the agent's reach, not the framework's.

The four-hour window between disclosure and active scanning also matters for governance. It tells security teams that AI framework patching cannot follow the same monthly cadence as traditional application servers; it has to follow the cadence of zero-day response.

PointGuard AI Perspective

PraisonAI is exactly the kind of agent platform that PointGuard AI Discovery is designed to find before attackers do. Continuous discovery across cloud, on-prem, and developer environments surfaces unknown agent deployments and flags the ones running on vulnerable framework versions or with disabled authentication.

Where coverage already exists, the PointGuard Agent Governance Mesh enforces per-agent identity and intent-based access control on every tool call, so even an attacker who reaches the PraisonAI API cannot push the agent into out-of-policy actions. Policy is anchored to the agent, not the network port.

For organizations standardizing on a control framework, the PointGuard AI Governance solution maps these controls back to NIST AI RMF, the EU AI Act, and internal standards, with audit-grade evidence of agent identity, authorization, and observed behavior. The forward-looking lesson is that agent frameworks are now critical infrastructure, and treating them with the visibility and authorization discipline of any other production control plane is what keeps PraisonAI-class incidents from becoming the next four-hour scanner free-for-all.

Incident Scorecard

Total AISSI Score: 6.2/10

Criticality: 6/10. Agent control plane with access to whatever tools and data the deployment exposes. AISSI weighting: 25%.

Propagation: 6/10. Common pattern across exposed AI framework instances and easily fingerprinted. AISSI weighting: 20%.

Exploitability: 8/10. Live scanners within four hours of disclosure; trivial unauthenticated requests. AISSI weighting: 15%.

Supply Chain: 7/10. Default-configured open-source framework reused widely across deployments. AISSI weighting: 15%.

Business Impact: 5/10. No major confirmed enterprise breach disclosed publicly at time of writing. AISSI weighting: 25%.

Sources

• The Hacker News: PraisonAI CVE-2026-44338 auth bypass targeted within hours of disclosure
• CSO Online: PraisonAI vulnerability gets scanned within 4 hours of disclosure
• SecurityWeek: Hackers targeted PraisonAI vulnerability hours after disclosure