Missing Authentication in PraisonAI Legacy Flask API Server
CVE-2026-44338 is a missing-authentication vulnerability in PraisonAI’s legacy Flask API server (src/praisonai/api_server.py). Affected versions are 2.5.6 through 4.6.33. The legacy server shipped with insecure defaults, including AUTH_ENABLED = False and AUTH_TOKEN = None, and its authentication helper failed open when authentication was disabled. As a result, when the legacy server is used, unauthenticated callers can access GET /agents and POST /chat without presenting an Authorization token. The /agents endpoint exposes configured agent metadata, including the agent definition file and agent list. The /chat endpoint triggers execution of the local agents.yaml workflow via PraisonAI(agent_file="agents.yaml").run(); reported analysis indicates the submitted message field is ignored and the configured workflow executes regardless. The legacy server also bound to 0.0.0.0:8080 when launched directly, increasing exposure on reachable network interfaces.
Impact, mitigation & remediation
What it means. What to do now. For analysts and engineers who need to decide and keep moving.
Impact
What an attacker gets — and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a local Docker lab and proof-of-concept for CVE-2026-44338, an authentication bypass affecting PraisonAI’s legacy Flask API server. It is not a weaponized exploit; it is a controlled reproduction showing that when authentication is disabled by default, unauthenticated callers can access GET /agents and POST /chat. The PoC in poc/poc.py sends unauthenticated HTTP requests to both endpoints on a vulnerable lab instance and a patched comparison instance, then classifies the target as LIKELY_VULNERABLE if both routes return HTTP 200 and expected response markers are present. Repository structure is simple: docker-compose.yml launches two containers, vuln and patched; vuln/start_server.py implements the fail-open behavior with AUTH_ENABLED = False; patched/start_server.py implements the fixed behavior with bearer-token enforcement; poc/poc.py is the main operator-facing script; README.md documents the CVE, affected versions, expected results, and references. Both server implementations use a DummyPraisonAI stub and agents.yaml string reference to simulate workflow execution without external side effects. Main exploit capability: unauthenticated access to legacy API routes over HTTP. On the vulnerable service, /agents discloses agent metadata and /chat accepts attacker-supplied JSON containing a message and reaches the workflow-trigger path without authentication. The patched service requires Authorization: Bearer lab-token and returns 401 otherwise. The exploit is best classified as a web/network POC for authentication bypass validation rather than post-exploitation code or RCE.
Small PoC repository for a PraisonAI authentication bypass advisory (GHSA-6rmh-7xcm-cpxj). The repository contains one primary Python script, a sample agents.yaml, and documentation/license files. The script does not exploit a remote target directly; instead, it stubs the praisonai module with a DummyPraisonAI class, ensures an agents.yaml file exists, dynamically loads src/praisonai/api_server.py from a local vulnerable PraisonAI checkout, and launches the Flask server on 0.0.0.0:8080. The intended demonstration is that authentication is disabled, allowing unauthenticated requests to endpoints such as /agents and /chat. This is a proof-of-concept web/network exploit for local testing of improper authentication exposure rather than a weaponized exploit. No reverse shell, persistence, or post-exploitation payload is included.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles against your asset inventory in the product.
Recent activity
40 sources tracked across advisories, community write-ups, and news. Mallory keeps watching after this page renders.
An authentication bypass vulnerability in PraisonAI’s legacy Flask API server caused by insecure default settings that disable authentication and expose API endpoints, allowing unauthenticated attackers to enumerate agents, trigger workflows, extract output data, and consume external AI model quotas.
A missing authentication vulnerability in PraisonAI's legacy Flask API server that allows unauthenticated access to sensitive endpoints and protected functionality.
A specific vulnerability identified as CVE-2026-44338 affecting PraisonAI; the content indicates it drew scanner activity shortly after public disclosure.
An authentication bypass in PraisonAI's legacy Flask-based api_server.py where authentication is disabled by default, allowing unauthenticated access to GET /agents and POST /chat and enabling arbitrary triggering of configured agent workflows.
An authentication bypass in PraisonAI's legacy Flask-based api_server.py where authentication is disabled by default, exposing unauthenticated access to GET /agents and POST /chat and allowing arbitrary triggering of configured agent workflows.
See the full picture, correlated to your attack surface.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules — auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.