In recent weeks it was confirmed that malicious actors began to exploit, within hours, an authentication failure in PraisonAI, an open source framework for multiple agent orchestration; the vulnerability recorded as CVE-2026-44338 allows to consult sensitive end points without token, provided that the Flask inherited server is in use.
The technical root of the problem is simple and worrying: the legacy API server, in src / praisonai / api _ server.py, comes with AUTH _ ENABLED = False and AUTH _ TOKEN = None by default, which enables access to / agents and the possibility to trigger the configured flow on agents.yaml via / chat without authentication. According to the maintainers, this affects the versions of the Python bookstore from 2.5.6 to 4.6.33 and was corrected at 4.6.34; the discovery was reported by the researcher Shmulik Cohen.
The speed of the exploitation attempts is the most clear lesson: a scanner identified as CVE-Detector / 1.0 began to consult instances exposed to the Internet just hours after public disclosure; Sysdig documented the first request addressed to the vulnerable endpoint at 17: 40 UTC on the same day of the publication, and observed two survey passes, the second already focused on surfaces of IA agents like PraisonAI. In the records the GET / agents without header Authorization returned 200 OK with the listed agents file, which confirms the bypass.
The practical implications depend on the content of each agents.yaml: from the simple enumeration of the configuration to the remote triggering of flows that can consume model quotas or APIs, reveal performance results and, in poorly configured environments, allow side movements or exfiltration. The vector does not require creative exploitation: it is enough that the legacy process is accessible from the network.
For any organization that uses PraisonAI or deployments based on similar agents, the immediate priorities are clear: to update to the corrected version (4.6.34 in this case) or to prevent the use of the legacy Flask server; to audit and minimize the exposure of development or administration endpoints; and to review the agents.yaml files for credentials, hooks or access to external services to be rotated. In addition, billing and consumer records in model providers should be reviewed in case of unauthorized use.
From the operational point of view, it is important not to limit it to the patch: apply network controls that restrict who can reach the endpoints (firewall, cloud security rules, access only by VPN or localhost), implement monitoring that seeks survey patterns (e.g., GET a / agents without Authorization or user-Agent suspected) and establish alerts on consumption peaks in model APIs. It is also prudent to enable robust authentication and to remove by default any server that starts without protection.
If your deployment has already been scanned, consider revoking and rotating all the credentials referred to in agents.yaml, audit access and backups for possible exfilterations, and look for signs of calls to / chat that you may have run workflows. Engagement detection tools, log analysis and configuration reviews can reduce the risk of severe impacts.
This episode fits into a broader trend: the ecosystem of tools and adverse scanners quickly incorporates public vulnerabilities, with operating windows that are often measured in hours. It is therefore essential that development and security teams treat unsecure default configurations as potential incidents and adopt minimum privilege principles since design. For guidance on good authentication practices and how to close these vectors, see resources such as NVD from NIST and OWASP's authentication recommendations.
Vulnerability in PraisonAI recalls that the speed of parking and operational hygiene matter as much as the technical patch. For more information on managing critical vulnerabilities and known operating catalogues, visit the CISA page on freely exploited vulnerabilities and the NVD database. Implementing updates, network segmentation and secret rotation should be part of the immediate response of any team that manages IA agents.
NVD (NIST) and OWASP Authentication Cheat Sheet provide good references to strengthen access controls, and list of CISA helps to prioritize patches against active risks.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...