A newly identified critical vulnerability in PraisonAI has garnered significant attention after security researchers detected attempts to exploit it just hours post its public disclosure. This flaw, tagged as CVE-2026-44338, is detailed in the GitHub advisory GHSA-6rmh-7xcm-cpxj, and raises alarms due to its potential for allowing unauthorized users to execute AI workflows without the need for credentials.
The vulnerability specifically affects PraisonAI versions ranging from 2.5.6 to 4.6.33. According to the advisory, the core issue resides within a legacy API server that is built on Flask, which, by default, has authentication features disabled. The coding configuration sets the variables AUTH_ENABLED to False and AUTH_TOKEN to None, effectively eliminating any access control measures that would typically safeguard the system.
This lack of authentication creates a critical security loophole, as the authentication checks on the server inaccurately return a ‘true’ status. Consequently, any remote user capable of accessing the API can interact with sensitive endpoints. The situation is further exacerbated by the server’s default binding to 0.0.0.0:8080, thereby making it accessible over the network if it’s exposed.
Attackers can take advantage of two particular endpoints that lie at the heart of this vulnerability:
- GET /agents: This endpoint allows potential attackers to retrieve metadata concerning configured AI agents.
- POST /chat: This endpoint serves to trigger the execution of workflows defined in the agents.yaml file.
Remarkably, the /chat endpoint requires merely a JSON request that contains a message field. However, the server ignores the input and directly executes the predefined workflow using the command PraisonAI(agent_file=”agents.yaml”).run(). Security researchers have confirmed that both of these endpoints successfully respond without requiring any Authorization header, which effectively proves that this vulnerability is a complete authentication bypass rather than a mere misconfiguration.
The implications of this vulnerability are grave. Unauthenticated users are granted the ability to:
- Execute AI workflows remotely without proper authorization.
- Enumerate the configurations of agents and access internal metadata.
- Exhaust API or model usage quotas, leading to potential financial losses.
- Obtain outputs generated by backend workflows, which could include sensitive information.
While this specific flaw does not directly facilitate prompt injection attacks, the impact largely hinges on how the agents.yaml workflow is configured. In scenarios where these workflows perform sensitive or privileged actions, the risk is significantly heightened.
Complicating matters further, PraisonAI’s deployment configurations promote insecure defaults. The API configuration model defaults the auth_enabled setting to false, and sample deployment templates suggest binding to 0.0.0.0 with authentication switched off. Although a newer command, serve agent, provides better security by binding to localhost (127.0.0.1) and requiring API keys, the outdated legacy server is still included in production releases up to version 4.6.33.
Fortunately, this vulnerability has been resolved in version 4.6.34, and users are urged to upgrade without delay. For those unable to apply updates immediately, a set of mitigation strategies has been recommended:
- Restrict network access to the API server via firewalls.
- Avoid exposing the service to the public internet.
- Enable authentication mechanisms manually, if feasible.
- Adopt the newer, more secure server agents deployment method.
This incident is emblematic of a broader concern where AI platforms are distributed with insecure defaults, rendering them appealing targets for opportunistic criminals. The swift exploitation observed in this instance highlights how rapidly adversaries can leverage newly disclosed vulnerabilities, particularly when authentication is unnecessary.
Organizations deploying AI infrastructure must prioritize an audit of their exposed services and ensure that secure configurations are established to avert similar security breaches in the future. The vulnerability not only underscores the immediate risks associated with improper configurations but also serves as a reminder of the ongoing challenges in maintaining security in the rapidly evolving landscape of AI technologies.