Threat actors began exploiting CVE-2026-44338, a missing authentication vulnerability in the PraisonAI AI agent orchestration framework, 3 hours and 44 minutes after the public advisory was published on May 11, 2026. The flaw affects the legacy Flask API server component, which ships with authentication disabled by default, exposing agent configuration data and the ability to trigger autonomous AI workflows to unauthenticated remote attackers across 51 affected versions. PraisonAI released a fix in version 4.6.34.
CVE-2026-44338 Exposes PraisonAI Agent Configurations to Unauthenticated GET Requests
CVE-2026-44338 (CVSS 7.3) is a missing authentication vulnerability in PraisonAI’s legacy Flask API server. The /agents endpoint does not require an Authorization header, allowing unauthenticated GET requests to return a 200 OK response that includes the full agent configuration, including the contents of agents.yaml. Once an attacker has the agent configuration, they can call the /chat endpoint without authorization to trigger agent workflows — executing AI-driven actions that may include web browsing, code execution, or external API calls, depending on how the agent has been configured.
Researcher Shmulik Cohen discovered the vulnerability. The affected version range spans 2.5.6 through 4.6.33 — 51 separate versions over which the Flask API server shipped with authentication disabled. PraisonAI released version 4.6.34 as the fix.
May 11 Timeline: Advisory Published at 13:56 UTC, First Exploit Observed at 17:40 UTC
The timeline of exploitation was precise. The CVE-2026-44338 advisory was published publicly on May 11, 2026, at 13:56 UTC. The first confirmed exploitation attempt against PraisonAI instances in the wild was observed at 17:40 UTC the same day — a gap of 3 hours and 44 minutes from public disclosure to active attack.
The speed reflects a now-documented pattern of nearly automated vulnerability weaponization. Threat actor infrastructure monitors CVE feeds and advisory publications, extracts enough technical detail to construct a working exploit, and begins scanning for vulnerable targets within hours. For a vulnerability as simple as a missing Authorization header check — where the exploit is a single unauthenticated HTTP GET request — the time from advisory to working exploit is effectively zero, with the only delay being the scanning and targeting pipeline.
Agent Configuration Files and LLM API Keys as High-Value Targets in PraisonAI Deployments
AI agent frameworks like PraisonAI are increasingly deployed in enterprise environments where they are configured with access to LLM API keys, internal data sources, code execution environments, and external service integrations. The agent configuration data exposed through the unauthenticated /agents endpoint often contains credentials and capability definitions that give an attacker a clear picture of what the agent can access and what actions it can perform.
Beyond configuration disclosure, the ability to call /chat without authorization lets an attacker trigger agent workflows on behalf of the compromised deployment — potentially causing the agent to exfiltrate data from connected sources, execute code, or send requests to external services as if instructed by a legitimate operator. Researchers noted that AI agent frameworks are being targeted with increasing frequency because their access to sensitive workflow configurations, LLM API keys, and autonomous action capabilities makes them valuable targets distinct from traditional software vulnerabilities.
Upgrading to PraisonAI 4.6.34 and Auditing Exposed Agent Configurations
Organizations running PraisonAI should upgrade to version 4.6.34 immediately. Given the 3h44m exploitation window documented on May 11, instances exposed to the internet running versions 2.5.6 through 4.6.33 should be treated as potentially compromised and reviewed for unauthorized access.
Post-upgrade steps include rotating all API keys present in agents.yaml and any other configuration files accessible through the Flask server, reviewing logs for unauthenticated requests to the /agents and /chat endpoints, and auditing what external actions the agent was configured to perform — to assess whether unauthorized workflow executions could have caused downstream effects in connected systems. For organizations that cannot upgrade immediately, restricting network access to the Flask API server to trusted internal IP ranges eliminates remote exploitation while the patch is applied.
