A newly disclosed authentication bypass flaw in the open-source AI orchestration framework PraisonAI was probed by internet scanners less than four hours after its public disclosure.
According to Sysdig observations, roughly three hours and 44 minutes after a GitHub advisory dropped, a scanner identifying itself as “CVE-Detector/1.0” was already looking through the exposed PraisonAI instances for exact vulnerable endpoints.
The bug involves a legacy Flask-based API server component “src/praisonai/api_server.py” in PraisonAI that shipped with authentication disabled by default. The issue affects versions 2.5.6 to 4.6.33, and has been fixed in version 4.6.34.
“Authentication disabled by default in a development-grade API server is a known anti-pattern, and its blast radius is bounded by whatever permissions the operator gave the agent workflow,” said Trey Ford, chief strategy and trust officer at Bugcrowd. “Any organization that accelerated AI agent adoption without auditing network binding, authentication defaults, and credential exposure in agent configuration files now faces risk it likely hasn’t quantified.”
Sysdig said a GitHub advisory was published around 13:56 UTC on May 11, and probing started at 17:40 UTC.
Authentication was disabled by default
Sysdig said the vulnerable component was a PraisonAI legacy API server, where authentication protections were effectively disabled by design. The researchers noted that any reachable caller could interact with agent workflows without valid tokens.
“PraisonAI ships a legacy Flask-based API server that hard-codes ‘AUTH_ENABLED = False’ and ‘AUTH_TOKEN = None’,” Sysdig researchers said in a blog post. “The check_auth() helper returns True whenever authentication is disabled, so the two “protected” routes fail open by design.”
The flaw, tracked as CVE-2026-44338, received a severity rating of CVSS 7.3 out of 10, but is being considered an urgency, considering attackers are already looking to exploit it. “Any AI service reachable from the internet should be treated as a production asset with controls around authentication, network segmentation, and monitoring,” said Vineeta Sangaraju, AI Research Engineer at Black Duck, urging organizations to patch immediately.
Sysdig’s researchers said the initial reconnaissance traffic appeared generic at first, targeting common internet-exposed paths such as /./.env and /admin. Minutes later, however, the scanner pivoted to PraisonAI-specific endpoints including “/praisonai/version.txt”, “/docs”, “/api/agents/config”, and “/api/agents.”
Researchers warned that a successful exploit could escalate to serious breaches. “The bypass itself is not arbitrary code execution,” they said. “But because it removes authentication from a workflow trigger that an operator deliberately exposed to do something useful, the impact ceiling is whatever that workflow is allowed to do.”
Mitigations and recommendations
Sysdig urged organizations to immediately upgrade to PraisonAI version 4.6.34 or later, which removes the vulnerable legacy API behavior and introduces stronger authentication protections.
The researchers also recommended discontinuing use of the legacy “api_server.py” entrypoint entirely, noting that exposed instances running older configurations remain vulnerable to unauthenticated access attempts.
To support detection efforts, defenders were advised to monitor for requests containing the “CVE-Detector/1.0” user-agent string, along with suspicious requests targeting /agents, /chat, /api/agents, and related MCP endpoints. “Until an upgrade is possible, network-layer monitoring catches this class of traffic cleanly because the bypass leaves no missing-auth signal in the application logs,” the researchers noted.
No Responses