PraisonAI Authentication Bypass Scanned Within Hours of Disclosure
Threat actors began probing internet-exposed PraisonAI instances within 3 hours and 44 minutes of public disclosure of CVE-2026-44338, a missing-authentication flaw in the product’s legacy Flask API server. The vulnerability, tracked in GitHub advisory GHSA-6rmh-7xcm-cpxj, affects versions 2.5.6 through 4.6.33 and was fixed in 4.6.34. Sysdig said the issue stems from authentication being disabled by default in the legacy api_server.py, allowing unauthenticated access to protected endpoints including GET /agents and POST /chat.
Sysdig observed scanning from 146.190.133[.]49 using the User-Agent CVE-Detector/1.0, with activity focused on validating exploitability rather than full hands-on abuse, as no POST /chat requests were seen. Even so, exposed deployments could allow attackers to view agent configurations, trigger workflows defined in agents.yaml, exhaust model or API quotas, expose data, or execute downstream actions through connected tools. Defenders were urged to upgrade to PraisonAI 4.6.34 or later, retire the legacy API server, restrict exposure of port 8080, monitor for unauthenticated requests to /agents and /chat, and review credentials and billing tied to configured agents.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Sysdig publicly reports rapid post-disclosure probing activity
On 2026-05-12, Sysdig published research documenting the near-immediate scanning for CVE-2026-44338 and warning that exposed workflows could enable quota exhaustion, tool execution, data exposure, and downstream abuse. The company recommended upgrading to 4.6.34 or later, restricting exposure of port 8080, and monitoring for unauthenticated GET /agents and POST /chat requests.
Internet scanning for vulnerable PraisonAI instances begins within hours
Sysdig observed probing of internet-exposed PraisonAI instances 3 hours and 44 minutes after the public advisory, including requests from 146.190.133.49 using the User-Agent "CVE-Detector/1.0." The activity appeared aimed at validating exploitability of the vulnerable endpoint rather than fully weaponizing the flaw.
PraisonAI fixes CVE-2026-44338 in version 4.6.34
PraisonAI addressed the authentication bypass vulnerability in release 4.6.34. The fix remediated the legacy API server issue that had shipped with authentication disabled by default.
GitHub publishes advisory for PraisonAI auth bypass CVE-2026-44338
On 2026-05-11, GitHub published advisory GHSA-6rmh-7xcm-cpxj for CVE-2026-44338, a missing-authentication flaw in PraisonAI's legacy Flask API server. The issue affects versions 2.5.6 through 4.6.33 and can expose protected endpoints such as /agents and /chat to unauthenticated access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
PraisonAI Vulnerability Exploited Within Hours of Public Disclosure
cybersecuritynews.com
Open sourcePraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure
thehackernews.com
Open sourceCVE-2026-44338: PraisonAI authentication bypass in under 4 hours and the growing trend of rapid exploitation | Sysdig
webflow.sysdig.com
Open sourceCVE-2026-44338: PraisonAI authentication bypass in under 4 hours and the growing trend of rapid exploitation | Sysdig
sysdig.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
PraisonAI flaws allowed auth bypass and second-order SQL injection
PraisonAI, a multi-agent teams platform, disclosed two high-severity vulnerabilities affecting versions before **4.5.97** and **4.5.90**. The more severe issue, tracked as `CVE-2026-34953`, stems from `OAuthManager.validate_token()` returning `True` for tokens missing from its internal store, which is empty by default. That logic flaw lets attackers present arbitrary Bearer tokens to authenticate to the MCP server and gain full access to registered tools and agent capabilities. The vulnerability was classified as **CWE-863** with a CVSS v3.1 vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`. A second flaw, `CVE-2026-34934`, exposed PraisonAI to second-order SQL injection through `get_all_user_threads`. In affected versions before **4.5.90**, the function constructed raw SQL queries with Python f-strings using unescaped thread IDs previously stored in the database, allowing an attacker to plant a malicious thread ID via `update_thread` and trigger injection when thread lists were loaded. The bug could lead to full database compromise and was classified as **CWE-89** with a CVSS v3.1 vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`; both issues were addressed in patched releases published through GitHub Security Advisories.
Apr 4, 2026
PraisonAI Flaws Enable Template Injection and Remote Template Code Execution
PraisonAI disclosed two high-severity vulnerabilities affecting its multi-agent teams platform, both tied to unsafe handling of templates. **CVE-2026-39891** affects versions before `4.5.115` and allows template injection through agent tool definitions: the `create_agent_centric_tools()` function returns tools that render file content as templates, so unescaped input supplied via `agent.start()` can cause template expressions to execute rather than be treated as plain text. The flaw is tracked as **CWE-94** and carries a CVSS v3.1 score vector of `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, indicating high impact across confidentiality, integrity, and availability. A second issue, **CVE-2026-40154**, affects versions before `4.5.128` and exposes PraisonAI to remote template code execution through untrusted externally fetched template files. The advisory says the product treated remote templates as trusted executable code without integrity checks, origin validation, or user confirmation, creating a supply-chain attack path for malicious templates. That vulnerability is mapped to **CWE-829** with CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N`. PraisonAI fixed the issues in versions `4.5.115` and `4.5.128`, with GitHub advisories published as **GHSA-hwg5-x759-7wjg** and **GHSA-pv9q-275h-rh7x**.
Apr 10, 2026
PraisonAI Sandbox Bypasses Enabled Arbitrary Code Execution in Agent Python Tools
Two high-severity vulnerabilities in PraisonAI exposed its Python sandbox protections to bypass, allowing arbitrary code execution when untrusted agent code was run. `CVE-2026-39888` affected versions prior to `1.5.115` in `praisonaiagents.tools.python_tools.execute_code()` when `sandbox_mode` defaulted to `sandbox`; the subprocess wrapper relied on a restricted `__builtins__` dictionary and an incomplete AST blocklist that omitted frame-traversal attributes including `__traceback__`, `tb_frame`, `f_back`, and `f_builtins`. By catching an exception and traversing frames, an attacker could recover the real Python builtins from the wrapper frame and invoke `exec`, defeating the intended sandbox restrictions. A second flaw, `CVE-2026-40158`, affected PraisonAI versions prior to `4.5.128` in `_execute_code_direct` within `praisonaiagents/tools/python_tools.py`. That sandbox used AST filtering to block dangerous Python attributes, but only inspected `ast.Attribute` nodes and missed dynamic attribute resolution through built-in mechanisms such as `type.__getattribute__`. Attackers could therefore reach blocked capabilities such as `__subclasses__` through a trampoline technique because the string appeared as an `ast.Constant` rather than an `ast.Attribute`, undermining the protection model until the vendor patched the issue in `4.5.128`.
Apr 10, 2026