CVE-2026-44338: Scanners Target PraisonAI Within Four Hours of Disclosure

An automated scanner identified as CVE-Detector/1.0 began targeting exposed PraisonAI instances at 17:40:55 UTC on May 11, 2026—less than four hours after the initial security advisory was published. The probe confirmed an authentication bypass in the legacy Flask API server, granting access to preconfigured agentic workflows. This rapid exploitation highlights a growing trend: open-source autonomous agent ecosystems are being actively monitored. Attackers no longer require zero-days; a public CVE is enough to turn insecure defaults into a concrete operational risk.

The Mechanics of the Legacy API Server Bypass

The PraisonAI legacy API server, implemented in Flask, manages requests directed toward user-configured agents. In affected versions, authentication controls are disabled by default: the source code sets AUTH_ENABLED to False and AUTH_TOKEN to None, rendering header or session cookie verification obsolete.

When a client sends a GET request to the /agents endpoint, the server responds with an HTTP 200 OK status and a JSON payload. This payload reveals the agent_file (typically agents.yaml) and a list of available agents. Furthermore, a POST method on /chat directly triggers PraisonAI(agent_file='agents.yaml').run() without sanitizing or filtering the content of the message field.

Consequently, any actor able to reach the endpoint can trigger predefined workflows, regardless of the system owner's intent. The flaw affects versions 2.5.6 through 4.6.33 and has been assigned a CVSS v3.1 score of 7.3 (HIGH). The attack vector is network-based and requires no authentication, special privileges, or user interaction.

The Timeline: CVE-Detector/1.0’s Four-Hour Sprint

The advisory for CVE-2026-44338 went public at 13:56:16 UTC on May 11, 2026. By 17:40:55 UTC that same day, Sysdig’s threat intelligence platform recorded the first suspicious contact. The tool used the User-Agent CVE-Detector/1.0 and operated from IP address 146.190.133.49, located within the DigitalOcean network (AS14061) in the United States.

The activity was highly structured, occurring in two distinct waves separated by an eight-minute interval. Each wave generated approximately seventy requests, a cadence indicative of an automated scanner rather than manual exploitation.

The first sequence targeted generic paths to map the attack surface, while the second focused specifically on PraisonAI’s agent endpoints. This narrow window between disclosure and the first confirmed probe makes traditional patching cycles—whether weekly or even daily—functionally obsolete for defending such instances.

"Within three hours and 44 minutes of the advisory becoming public, a scanner identifying itself as CVE-Detector/1.0 was probing the exact vulnerable endpoint on internet-exposed instances."

— Sysdig Threat Research Team

Assessing the Risk: Impact on Exposed Instances

While this authentication bypass does not equate to traditional arbitrary remote code execution (RCE), the danger lies in the framework’s design. The /chat endpoint acts as a trigger for workflows that operators have built to perform specific tasks. Without an authentication barrier, anyone reaching the server inherits the permissions of those workflows.

Sysdig identified several production risks, including the unauthorized consumption of LLM API quotas, which can lead to unpredictable costs for the system owner. Additionally, unauthorized actors could trigger agent tools configured in agents.yaml, which may include code interpreters, shell access, or file I/O operations.

Information disclosure is another concern: the response to GET /agents exposes the internal structure of the agents and the configuration file path, providing valuable intelligence for follow-up attacks. Currently, the lack of observed POST requests to /chat suggests the threat actors are in a reconnaissance and validation phase rather than an interactive exploitation phase.

However, the ultimate objective of the operators behind IP 146.190.133.49 remains unknown, as does the total number of compromised or exposed instances. While there is no definitive proof that this specific scanner utilized AI-generated tooling, researchers note a broader trend of rapid automation within the AI security ecosystem.

Why the AI-Agent Ecosystem is Under Fire

This incident is not an outlier but a signal of a broader shift in threat actor behavior. As noted by Sysdig, adversarial tools have scaled to target the entire AI and agent ecosystem, regardless of a project's size or mainstream popularity. Despite PraisonAI having a smaller footprint than major cloud platforms, it was targeted within hours of its vulnerability becoming public.

This implies that reconnaissance engines do not wait for a technology to achieve market dominance before adding it to their target lists. An insecure default in an open-source framework, combined with internet exposure, creates a vulnerability window measured in hours.

For security teams, the challenge is both quantitative and qualitative. The time between CVE disclosure and the first exploit attempt has dropped below the length of a single work shift. Traditional remediation cycles—relying on periodic scans, change management approvals, and scheduled maintenance windows—are structurally insufficient to contain this level of risk.

Mitigation and Response

Security teams should prioritize four specific actions. First, update PraisonAI to version 4.6.34 immediately to resolve the authentication flaw. Second, verify if the legacy API server is exposed to the internet; if so, remove it from the public attack surface or restrict access to trusted networks.

Third, inspect access logs for the User-Agent CVE-Detector/1.0 or connections originating from 146.190.133.49. Any match indicates that the instance has likely been scanned for this vulnerability. Finally, conduct a thorough audit of agents.yaml to limit the permissions and tools available to agents. Reducing an agent's autonomy minimizes the potential damage in the event of unauthorized access.

The line between a vulnerability scan and an active breach is now measured in minutes. The PraisonAI case demonstrates that the primary bottleneck is no longer the availability of exploits, but the structural latency of organizational defenses.

For those managing AI infrastructure, the question is no longer whether an autonomous agent will be targeted, but whether patching and hardening processes can survive an exposure window that closes in less than four hours.

Frequently Asked Questions

Why was authentication disabled by default in the legacy API?

The PraisonAI source code, specifically in src/praisonai/api_server.py, contained hard-coded values: AUTH_ENABLED = False and AUTH_TOKEN = None. This design choice in affected versions created an insecure default that left the /agents and /chat endpoints open to any requester, allowing them to query agent lists and trigger workflows without credentials.

If no POST requests were observed, what is the actual risk?

The absence of POST requests to /chat suggests the current activity is limited to reconnaissance. However, the confirmation that the endpoint responds without authentication validates the bypass. Any unpatched instance remains at risk of having its agentic workflows triggered to consume LLM quotas, execute local tools, or exfiltrate data. The operational risk remains high until the system is updated.

What does this mean for organizations not using PraisonAI?

The speed of this exploit—occurring less than four hours after disclosure—indicates that threat actors are systematically monitoring the AI-agent ecosystem. Any framework with insecure defaults and a public-facing profile is a potential target. This rapid turnaround necessitates a fundamental re-evaluation of remediation timelines across all emerging AI technologies.

Information verified against cited sources and accurate at the time of publication.

Sources

• https://thehackernews.com/2026/05/praisonai-cve-2026-44338-auth-bypass.html
• https://nvd.nist.gov/vuln/detail/CVE-2026-44338
• https://webflow.sysdig.com/blog/cve-2026-44338-praisonai-authentication-bypass-in-under-4-hours-and-the-growing-trend-of-rapid-exploitation
• https://www.securityweek.com/hackers-targeted-praisonai-vulnerability-hours-after-disclosure/
• https://vulnerability.circl.lu/vuln/cve-2026-44338