GHSA-8444-4fhq-fxpq: PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default
Summary
PraisonAI version 4.6.33 generates a Flask API server with authentication disabled by default when users run `praisonai deploy --type api`. The server exposes endpoints like `/chat` and `/agents` that accept unauthenticated requests and can execute user-supplied commands with access to API keys stored in the environment.
Solution / Mitigation
Enable authentication by explicitly setting `APIConfig(auth_enabled=True, auth_token=...)` when deploying the API server.
Vulnerability Details
EPSS: 0.0%
Yes
May 29, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-8444-4fhq-fxpq
First tracked: May 29, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%