PT-2026-39005 · Praisonai · Praisonai

Shmulc8

·

Published

2026-05-03

·

Updated

2026-06-12

·

CVE-2026-44338

CVSS v2.0

7.5

High

VectorAV:N/AC:L/Au:N/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions PraisonAI versions 2.5.6 through 4.6.33
Description PraisonAI ships a legacy Flask API server that has authentication disabled by default due to hard-coded AUTH ENABLED = False and AUTH TOKEN = None variables in the api server.py file. This causes the check auth() function to fail open, allowing any network caller to access protected endpoints without a token. Specifically, the 'GET /agents' endpoint exposes agent metadata, and the 'POST /chat' endpoint triggers the PraisonAI().run() function to execute the configured agents.yaml workflow, regardless of the provided message variable.
Real-world incidents indicate that automated scanners, such as CVE-Detector/1.0, began probing vulnerable systems within 3 hours and 44 minutes of public disclosure. The impact depends on the permissions granted to the agents in agents.yaml, which may include access to internal databases, file systems, shell commands, or the consumption of expensive LLM API quotas. Additionally, the Gateway and AGUI endpoints were found to have hard-coded wildcard CORS headers (Access-Control-Allow-Origin: *), potentially allowing malicious websites to trigger agents on a local machine.
Recommendations Update to version 4.6.34. As a temporary mitigation, deploy WAF rules to block unauthenticated access to the '/agents' and '/chat' endpoints. Restrict access to the legacy API server by ensuring it does not bind to 0.0.0.0 if not required.

Exploit

Fix

RCE

Exposure of Resource to Wrong Sphere

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-07992
CVE-2026-44338
GHSA-6RMH-7XCM-CPXJ

Affected Products

Praisonai