Description
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34.
Published: 2026-05-08
Score: 7.3 High
EPSS: 26.8% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PraisonAI ships a legacy Flask API server that, by default, has authentication disabled, exposing the /agents and /chat endpoints. Anyone who can reach the server can trigger the configured agents.yaml workflow without providing a token, enabling arbitrary agent workflow execution. This flaw can allow an attacker to run configured agent workflows, potentially leading to code execution or data access depending on the agent logic, thereby compromising confidentiality, integrity, or availability. The weakness combines missing authentication (CWE‑306), improper authorization (CWE‑668), and configuration exposure (CWE‑1188).

Affected Systems

MervinPraison PraisonAI versions from 2.5.6 up to, but not including, 4.6.34 are affected; the flaw was fixed in 4.6.34 and later releases.

Risk and Exploitability

The vulnerability has a CVSS score of 7.3, indicating high severity. EPSS score is 27%, indicating a higher likelihood of exploitation, but the lack of authentication makes the attack surface essentially any network user with connectivity to the server. Because the flaw permits execution of configured workflows, an attacker can gain privileged access to internal resources and possibly compromise the system; the vulnerability is not listed in the CISA KEV catalog, yet the open nature of the endpoints means exploitation risks remain significant.

Generated by OpenCVE AI on June 24, 2026 at 12:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAI to version 4.6.34 or later, where the legacy API server has authentication enabled and the issue is patched.
  • Restrict network access to the legacy Flask API server, blocking external traffic or isolating it to a trusted subnet.
  • If the legacy API server must remain, manually configure it to require an authentication token or block the /agents and /chat endpoints via firewall rules.

Generated by OpenCVE AI on June 24, 2026 at 12:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6rmh-7xcm-cpxj PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution
History

Fri, 08 May 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Fri, 08 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34.
Title PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution
Weaknesses CWE-1188
CWE-306
CWE-668
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T14:14:43.177Z

Reserved: 2026-05-05T19:52:59.147Z

Link: CVE-2026-44338

cve-icon Vulnrichment

Updated: 2026-05-08T14:14:39.092Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:46.733

Modified: 2026-06-17T10:50:31.593

Link: CVE-2026-44338

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:30:16Z

Weaknesses
  • CWE-1188

    Initialization of a Resource with an Insecure Default

  • CWE-306

    Missing Authentication for Critical Function

  • CWE-668

    Exposure of Resource to Wrong Sphere