CVE-2026-44338 - Vulnerability Details

- PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution

Description

PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34.

Published: 2026-05-08

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

PraisonAI ships a legacy Flask API server that, by default, has authentication disabled, exposing the /agents and /chat endpoints. Anyone who can reach the server can trigger the configured agents.yaml workflow without providing a token, enabling arbitrary agent execution. This flaw can allow an attacker to run code or access sensitive data depending on the agent logic, thereby compromising confidentiality, integrity, or availability. The weakness combines missing authentication, improper authorization, and configuration exposure, reflected in CWE‑1188, CWE‑306, and CWE‑668.

Affected Systems

MervinPraison PraisonAI versions from 2.5.6 up to, but not including, 4.6.34 are affected; the flaw was fixed in 4.6.34 and later releases.

Risk and Exploitability

The vulnerability has a CVSS score of 7.3, indicating high severity. EPSS data is not available, but the lack of authentication makes the attack surface essentially any network user with connectivity to the server. Because the flaw permits execution of configured workflows, an attacker could potentially elevate privileges or bypass isolation boundaries. The vulnerability is not listed in the CISA KEV catalog, yet the possibility of exploitation remains significant due to the open nature of the endpoints.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MervinPraison

PraisonAI

affected

Version	Status	Constraints
`>= 2.5.6, < 4.6.34`	affected	—

Configuration 1 [-]

cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Mervinpraison

Praisonai

100%

Version	Status	Scheme	Platform
`[2.5.6,4.6.34)`	affected	semver	—

Praison

Praisonai

95%

Version	Status	Scheme	Platform
`[2.5.6,4.6.34)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade PraisonAI to version 4.6.34 or later, where the legacy API server has authentication enabled and the issue is patched.
Restrict network access to the legacy Flask API server, blocking external traffic or isolating it to a trusted subnet.
If the legacy API server must remain, manually configure it to require an authentication token or block the /agents and /chat endpoints via firewall rules.

Generated by OpenCVE AI on May 8, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00056.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6rmh-7xcm-cpxj

History

Fri, 08 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mervinpraison Mervinpraison praisonai
Vendors & Products		Mervinpraison Mervinpraison praisonai

Fri, 08 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Praison Praison praisonai
CPEs		cpe:2.3:a:praison:praisonai::::::::
Vendors & Products		Praison Praison praisonai

Fri, 08 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 08 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34.
Title		PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution
Weaknesses		CWE-1188 CWE-306 CWE-668
References		https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6rmh-7xcm-cpxj
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

Mervinpraison Praisonai

Praison Praisonai

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-08T13:35:44.521Z

Updated: 2026-05-08T14:14:43.177Z

Reserved: 2026-05-05T19:52:59.147Z

Link: CVE-2026-44338

Vulnrichment

Updated: 2026-05-08T14:14:39.092Z

NVD

Status : Analyzed

Published: 2026-05-08T14:16:46.733

Modified: 2026-05-08T19:06:32.713

Link: CVE-2026-44338

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T21:15:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object