A recently disclosed flaw in PraisonAI was targeted by scanner activity within four hours of public disclosure, according to a technical analysis from Sysdig. The issue, tracked as CVE-2026-44338, affects the open-source multi-agent orchestration framework and can let unauthenticated callers reach protected endpoints on the legacy Flask API server.
KEY FACTS
- Vulnerability CVE-2026-44338 is a missing authentication flaw with a CVSS score of 7.3.
- Affected versions The bug affects PraisonAI package versions 2.5.6 through 4.6.33.
- Patched version Version 4.6.34 fixes the issue.
- Observed activity Sysdig said the first targeted request arrived 3 hours and 44 minutes after the advisory was published.
- Confirmed probe A GET request to /agents returned configuration details without an authorization header.
The advisory said the legacy Flask server ships with authentication disabled by default. When that server is used, callers that can reach it may access /agents and trigger the configured agents.yaml workflow through /chat without a token.
The maintainers said the flaw can lead to unauthenticated enumeration of the agent file, triggering of local workflows, repeated consumption of model or API quota, and exposure of the results of PraisonAI.run() to an unauthenticated caller. The impact depends on what the operator’s agents.yaml is allowed to do.
Sysdig said the probing activity came from 146.190.133.49 and followed a scanner pattern that made two passes about eight minutes apart. The first pass checked common disclosure paths, while the second focused on AI agent surfaces, including PraisonAI.
The report said the request that matched the flaw was a single GET /agents with no Authorization header and a User-Agent of CVE-Detector/1.0. It returned 200 OK with agent_file set to agents.yaml and a list of agents, confirming the bypass worked.
The scanner did not send a POST request to /chat during either pass, which suggests the activity was limited to checking whether the host was exposed. Users are advised to apply the patch, review deployments and check billing or credentials linked to agents.yaml for unusual activity.
WHY IT MATTERS
The case shows how quickly new flaws in AI and agent software can move from disclosure to active probing. It also highlights the risk of default authentication settings in exposed services that can reveal workflows or consume resources without a valid token.