PraisonAI CVE-2026-44338: authentication bypass exploited within hours

Colleagues, a heads-up for cybersecurity: the PraisonAI vulnerability (CVE-2026-44338) was probed and targeted within hours of disclosure.
- Essence: legacy Flask server ships with AUTH_ENABLED=False — GET /agents returns agent_file: agents.yaml without a token.
- Timeline: Sysdig detected scanning 3h44m after disclosure; researcher Shmulik Cohen reported the bug; patched in v4.6.34.
- Risks: workflows can be triggered via /chat, PraisonAI.run() outputs may leak, and quotas can be consumed without authorization.
Why this matters: the window between disclosure and exploitation is measured in hours — update versions, audit deployments, rotate tokens.
What mitigations have you implemented for protecting AI agents?
#cybersecurity #API #AI #vulnerabilities


Latest comments
No comments yet.