PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure
Summary
PraisonAI, an open-source framework for building multi-agent AI systems, has a critical authentication bypass vulnerability (CVE-2026-44338, a severity rating of 7.3 out of 10) where its default API server ships with authentication disabled, allowing anyone to access protected endpoints and trigger workflows without permission. Threat actors began exploiting this vulnerability within hours of its public disclosure, scanning internet-exposed instances to confirm they could access the vulnerable endpoints.
Solution / Mitigation
The vulnerability has been patched in version 4.6.34. Additionally, users are advised to apply the latest fixes as soon as possible, audit existing deployments, review model provider billing for suspicious activity, and rotate credentials referenced in 'agents.yaml.'
Classification
Affected Vendors
Related Issues
Original source: https://thehackernews.com/2026/05/praisonai-cve-2026-44338-auth-bypass.html
First tracked: May 14, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%