CVE-2026-44338
PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution
In short
PraisonAI includes a legacy API server that runs without authentication by default, allowing anyone who can reach it to execute workflows and access agent configurations without needing credentials.
Technical detail
The legacy Flask API server in PraisonAI versions 2.5.6 to before 4.6.34 exposes /agents and /chat endpoints without authentication checks, enabling unauthenticated remote workflow execution (CWE-306) and information disclosure via CWE-668. Attack vector is network-based for any instance accessible without firewall restrictions.
Summary generated and translated by AI from the official description.
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected products
MervinPraison · PraisonAIpublic PoCs found — 2
githubgithub.com/HORKimhab/CVE-2026-44338★ 0githubgithub.com/rootdirective-sec/CVE-2026-44338-Lab★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →