{"id":8150,"date":"2026-05-14T11:35:58","date_gmt":"2026-05-14T11:35:58","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8150"},"modified":"2026-05-14T11:35:58","modified_gmt":"2026-05-14T11:35:58","slug":"praisonai-vulnerability-gets-scanned-within-4-hours-of-disclosure","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8150","title":{"rendered":"PraisonAI vulnerability gets scanned within 4 hours of disclosure"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A newly disclosed authentication bypass flaw in the open-source AI orchestration framework <a href=\"https:\/\/github.com\/MervinPraison\/PraisonAI\" target=\"_blank\" rel=\"noopener\">PraisonAI <\/a>was probed by internet scanners less than four hours after its public disclosure.<\/p>\n<p>According to Sysdig observations, roughly three hours and 44 minutes after a GitHub advisory dropped, a scanner identifying itself as \u201cCVE-Detector\/1.0\u201d was already looking through the exposed PraisonAI instances for exact vulnerable endpoints.<\/p>\n<p>The bug involves a legacy Flask-based API server component \u201csrc\/praisonai\/api_server.py\u201d in PraisonAI that shipped with authentication disabled by default. The issue affects versions 2.5.6 to 4.6.33, and has been fixed in version 4.6.34.<\/p>\n<p>\u201cAuthentication disabled by default in a development-grade API server is a known anti-pattern, and its blast radius is bounded by whatever permissions the operator gave the agent workflow,\u201d said<a href=\"https:\/\/www.linkedin.com\/in\/treyford\/\" target=\"_blank\" rel=\"noopener\"> Trey Ford<\/a>, chief strategy and trust officer at Bugcrowd. \u201cAny organization that accelerated AI agent adoption without auditing network binding, authentication defaults, and credential exposure in agent configuration files now faces risk it likely hasn\u2019t quantified.\u201d<\/p>\n<p>Sysdig said a GitHub <a href=\"https:\/\/github.com\/advisories\/GHSA-6rmh-7xcm-cpxj\" target=\"_blank\" rel=\"noopener\">advisory<\/a> was published around 13:56 UTC on May 11, and probing started at 17:40 UTC.<\/p>\n<h2 class=\"wp-block-heading\">Authentication was disabled by default<\/h2>\n<p>Sysdig said the vulnerable component was a PraisonAI legacy API server, where authentication protections were effectively disabled by design. The researchers noted that any reachable caller could interact with agent workflows without valid tokens.<\/p>\n<p>\u201cPraisonAI ships a legacy Flask-based API server that hard-codes \u2018AUTH_ENABLED = False\u2019 and \u2018AUTH_TOKEN = None\u2019,\u201d Sysdig researchers said in a <a href=\"https:\/\/www.sysdig.com\/blog\/cve-2026-44338-praisonai-authentication-bypass-in-under-4-hours-and-the-growing-trend-of-rapid-exploitation\" target=\"_blank\" rel=\"noopener\">blog post<\/a>. \u201cThe check_auth() helper returns True whenever authentication is disabled, so the two \u201cprotected\u201d routes fail open by design.\u201d<\/p>\n<p>The flaw, tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-44338\" target=\"_blank\" rel=\"noopener\">CVE-2026-44338<\/a>, received a severity rating of CVSS 7.3 out of 10, but is being considered an urgency, considering attackers are already looking to exploit it.\u00a0 \u201cAny AI service reachable from the internet should be treated as a production asset with controls around authentication, network segmentation, and monitoring,\u201d said <a href=\"https:\/\/www.linkedin.com\/in\/vineetasangaraju\/\" target=\"_blank\" rel=\"noopener\">Vineeta Sangaraju<\/a>, AI Research Engineer at Black Duck, urging organizations to patch immediately.<\/p>\n<p>Sysdig\u2019s researchers said the initial reconnaissance traffic appeared generic at first, targeting common internet-exposed paths such as \/.\/.env and \/admin. Minutes later, however, the scanner pivoted to PraisonAI-specific endpoints including \u201c\/praisonai\/version.txt\u201d, \u201c\/docs\u201d, \u201c\/api\/agents\/config\u201d, and \u201c\/api\/agents.\u201d<\/p>\n<p>Researchers warned that a successful exploit could escalate to serious breaches. \u201cThe bypass itself is not arbitrary <a href=\"https:\/\/www.csoonline.com\/article\/4054796\/cursors-autorun-lets-hackers-execute-arbitrary-code.html\">code execution<\/a>,\u201d they said. \u201cBut because it removes authentication from a workflow trigger that an operator deliberately exposed to do something useful, the impact ceiling is whatever that workflow is allowed to do.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Mitigations and recommendations<\/h2>\n<p>Sysdig urged organizations to immediately upgrade to PraisonAI version 4.6.34 or later, which removes the vulnerable legacy API behavior and introduces stronger authentication protections.<\/p>\n<p>The researchers also recommended discontinuing use of the legacy \u201capi_server.py\u201d entrypoint entirely, noting that exposed instances running older configurations remain vulnerable to unauthenticated access attempts.<\/p>\n<p>To support detection efforts, defenders were advised to monitor for requests containing the \u201cCVE-Detector\/1.0\u201d user-agent string, along with suspicious requests targeting \/agents, \/chat, \/api\/agents, and related MCP endpoints. \u201cUntil an upgrade is possible, network-layer monitoring catches this class of traffic cleanly because the bypass leaves no missing-auth signal in the application logs,\u201d the researchers noted.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A newly disclosed authentication bypass flaw in the open-source AI orchestration framework PraisonAI was probed by internet scanners less than four hours after its public disclosure. According to Sysdig observations, roughly three hours and 44 minutes after a GitHub advisory dropped, a scanner identifying itself as \u201cCVE-Detector\/1.0\u201d was already looking through the exposed PraisonAI instances [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8151,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8150","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8150"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8150"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8150\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8151"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8150"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8150"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}