PT-2026-39005 · Praisonai · Praisonai
Shmulc8
·
Published
2026-05-03
·
Updated
2026-06-12
·
CVE-2026-44338
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
PraisonAI versions 2.5.6 through 4.6.33
Description
PraisonAI ships a legacy Flask API server that has authentication disabled by default due to hard-coded
AUTH ENABLED = False and AUTH TOKEN = None variables in the api server.py file. This causes the check auth() function to fail open, allowing any network caller to access protected endpoints without a token. Specifically, the 'GET /agents' endpoint exposes agent metadata, and the 'POST /chat' endpoint triggers the PraisonAI().run() function to execute the configured agents.yaml workflow, regardless of the provided message variable.Real-world incidents indicate that automated scanners, such as
CVE-Detector/1.0, began probing vulnerable systems within 3 hours and 44 minutes of public disclosure. The impact depends on the permissions granted to the agents in agents.yaml, which may include access to internal databases, file systems, shell commands, or the consumption of expensive LLM API quotas. Additionally, the Gateway and AGUI endpoints were found to have hard-coded wildcard CORS headers (Access-Control-Allow-Origin: *), potentially allowing malicious websites to trigger agents on a local machine.Recommendations
Update to version 4.6.34.
As a temporary mitigation, deploy WAF rules to block unauthenticated access to the '/agents' and '/chat' endpoints.
Restrict access to the legacy API server by ensuring it does not bind to
0.0.0.0 if not required.Exploit
Fix
RCE
Exposure of Resource to Wrong Sphere
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Praisonai