PraisonAI CVE-2026-44338 Exploited in the Wild Hours After Patch Disclosure

A new report from the Sysdig Threat Research Team (TRT) reveals that on May 11, 2026, a critical vulnerability in PraisonAI, an open-source multi-agent orchestration framework, was exploited in the wild just three hours and 44 minutes after its advisory was published. This rapid turnaround is a reminder of an emerging norm: “AI now enables attackers to reverse-engineer patches, identify the vulnerabilities they address, and generate functional exploits within minutes”.

The vulnerability, tracked as CVE-2026-44338, involves a legacy API server component (api_server.py) that shipped with authentication effectively disabled by default. The code hard-coded a “false” value for authentication enablement, causing two key endpoints—GET /agents and POST /chat—to fail open by design.

• GET /agents: Returns sensitive agent metadata and configuration file names.
• POST /chat: Allows any caller to trigger the framework’s configured workflow.

Researchers noted that at the time of the advisory, “every then-current installation was vulnerable”.

The Sysdig TRT observed a scanner originating from a DigitalOcean IP address systematically probing for AI-agent surfaces. The scanner identified itself with the User-Agent string “CVE-Detector/1.0”, a tell-tale sign that defenders should look for in their logs.

The attack pattern was surgical:

• A sweep for common disclosure paths like .env and admin.
• Narrowing down to AI-specific files such as pyproject.toml and praisonai/version.txt.
• A single GET /agents request with no authorization header, which successfully returned a 200 OK and the full agent configuration.

While this is not a traditional Remote Code Execution (RCE) bug, the “impact ceiling” is high because the authentication bypass removes the lock from a tool meant to be powerful. If an attacker loops requests to the /chat endpoint, they can cause “Model API quota burn,” essentially running up the operator’s bill with LLM providers like OpenAI or Anthropic.

More dangerously, because these workflows often have access to powerful tools like shells or internal datasets, an attacker can trigger agents to “write files, exfiltrate from internal datasets, send Slack messages, or trigger downstream workflows”.

To stay ahead of the scanners, Sysdig and the PraisonAI maintainers recommend the following immediate actions:

• Patch Immediately: Upgrade to PraisonAI 4.6.34 or later.
• Decommission Legacy Servers: Migrate away from the api_server.py entrypoint; newer versions bind to the local loopback by default.
• Audit and Rotate: Check your model-provider billing for spikes starting May 11, 2026, and “rotate any credentials referenced in agents.yaml”.