Published
- 5 min read
By Allan D - Editor, AI Security Wire
PraisonAI Flaws Exploited Hours After Disclosure: Auth Bypass to RCE
When PraisonAI’s maintainers pushed nine security advisories over a two-day window in late June 2026, the expectation was probably that the community would have some time to patch before anyone looked too closely. They did not. The authentication bypass at the centre of the disclosure, CVE-2026-44338, was being actively scanned in the wild less than four hours after the advisory went public.
Sysdig’s threat research team was watching. Their telemetry caught the first probe at three hours and 44 minutes post-disclosure, coming from a scanner self-identifying as CVE-Detector/1.0, hitting the exact /agents endpoint described in the advisory. That is not a human doing reconnaissance. That is an automated system that ingests public vulnerability feeds and immediately converts them into live scan jobs. The window between “advisory published” and “attackers looking for exposed instances” is now measured in hours, not days.
The Authentication Bypass
PraisonAI is a multi-agent orchestration framework built for running teams of AI agents across task pipelines. It ships with a Flask-based API server, and here is where CVE-2026-44338 lives. The legacy API server has authentication disabled by default, with two configuration constants in the source: AUTH_ENABLED = False and AUTH_TOKEN = None. The authentication check function evaluates these constants and returns True when AUTH_ENABLED is False, regardless of what token is presented. In other words: no authentication.
The practical impact is direct. A GET request to /agents returns the full list of configured agents and their metadata without any credential. A POST to /chat triggers the local agents.yaml workflow instantly. For anyone running PraisonAI with internet-exposed endpoints, an attacker can enumerate and invoke your agent stack with a single curl command.
The fix landed in version 4.6.34. If you have not updated, that is the immediate priority.
Nine Vulnerabilities, One Advisory Window
The auth bypass got most of the attention, but RAXE Labs’ advisory RAXE-2026-050 catalogued eight additional flaws across the PraisonAI ecosystem, spanning two packages and five vulnerability classes. The cluster is significant enough to suggest this was a codebase that had not previously been through systematic security review.
The most technically severe is CVE-2026-41497, carrying a CVSS score of 9.8. It lives in the MCP command parsing layer: the parse_mcp_command function processes the --mcp CLI argument and passes it unsanitised to anyio.open_process(). If any user-controlled input reaches that argument, arbitrary process execution follows. For agentic frameworks where tool invocation is the whole point, the MCP trust boundary is load-bearing. Compromising it is not a minor issue.
Closely related is CVE-2026-34935, a similar command injection path in the praisonaiagents package, where the same unsanitised argument reaches process creation calls. The remediation introduced in v4.5.69 is a command allowlist, ALLOWED_MCP_COMMANDS, containing around 20 permitted executable prefixes (npx, uvx, node, python, docker, and similar). Any first token not in that set is rejected before the process call is entered.
Rounding out the cluster: CVE-2026-34938 is a sandbox bypass, CVE-2026-34936 and CVE-2026-34954 are server-side request forgery flaws that can reach cloud metadata services on 169.254.169.254, and CVE-2026-44336 (CVSS 9.4) is a path traversal in default agent tools allowing arbitrary file writes that may achieve code execution depending on runtime configuration.
A Pattern Worth Naming
Sysdig used this incident to draw a broader point, and it is worth repeating. The sub-four-hour exploitation window here is not a PraisonAI-specific problem. It is a structural feature of how vulnerability intelligence flows through the ecosystem now.
When a CVE is published, automated systems pick it up. Those systems generate signatures, scan payloads, and often automated exploitation scripts. For common vulnerability classes — authentication bypass is extremely common — the gap from disclosure to active scanning has compressed sharply. Sysdig’s data on LiteLLM (CVE-2026-42271) showed similar timelines. The practical implication is that treating patching as a week-or-two-week process after a disclosure is no longer defensible for internet-exposed services.
AI agent frameworks are especially vulnerable to this pattern. They are growing fast, often built by small teams without dedicated security engineering, and deployed by developers who may not be monitoring security feeds closely. The result is a category of software with a large and rapidly expanding install base, a history of severe vulnerability classes (injection, auth bypass, SSRF all appear in this single advisory), and users who are slower to patch than enterprise IT teams.
What to Do
For PraisonAI users: update to 4.6.34 for the auth bypass fix and 4.5.69 or later for the MCP injection remediations. Check your deployment: if your PraisonAI API server is reachable from the internet, assume it has been scanned. Review logs for requests to /agents and /chat from unknown sources.
For defenders watching AI tooling broadly: the rapid exploitation pattern means your patch window after a disclosure on an internet-facing AI framework is measured in hours. If you cannot patch that fast, the operational control is restricting network access. PraisonAI’s API server should not be internet-accessible. Neither should most local LLM serving infrastructure. Bind to localhost or enforce network controls, and treat any deviation as a risk requiring explicit sign-off.
References
- Sysdig — CVE-2026-44338: PraisonAI authentication bypass in under 4 hours and the growing trend of rapid exploitation
- SecurityWeek — Hackers Targeted PraisonAI Vulnerability Hours After Disclosure
- The Hacker News — PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure
- RAXE Labs — RAXE-2026-050: PraisonAI Ecosystem Nine-Vulnerability Cluster
- CSO Online — PraisonAI vulnerability gets scanned within 4 hours of disclosure
Frequently Asked Questions
- What is CVE-2026-44338 in PraisonAI?
- CVE-2026-44338 is an authentication bypass in PraisonAI's legacy Flask-based API server where authentication is hardcoded off by default, with AUTH_ENABLED set to False and AUTH_TOKEN set to None. Any unauthenticated attacker with network access can enumerate running agents and trigger workflow execution. The fix is in version 4.6.34.
- How quickly was the PraisonAI auth bypass exploited?
- Sysdig observed the first active scanning attempts within three hours and 44 minutes of the advisory becoming public. The scanner identified itself as CVE-Detector/1.0 and probed the exact /agents endpoint affected by the flaw, indicating automated exploitation infrastructure was already keyed to the CVE number within hours of disclosure.
- What is the MCP command injection vulnerability in PraisonAI?
- CVE-2026-34935 and the related CVE-2026-41497 (CVSS 9.8) affect how PraisonAI handles MCP server launch commands. The --mcp CLI argument and the parse_mcp_command function pass user-controlled input unsanitised to process creation calls, allowing arbitrary command execution in the context of the agent runtime. The fix in v4.5.69 introduces an allowlist of permitted command prefixes.