{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44338/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-44338"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI (\u003e= 2.5.6, \u003c= 4.6.33)"],"_cs_severities":["high"],"_cs_tags":["authentication bypass","API","CVE-2026-44338"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003ePraisonAI includes a legacy Flask API server (\u003ccode\u003esrc/praisonai/api_server.py\u003c/code\u003e) that, by default, ships with authentication disabled. This is due to hardcoded values \u003ccode\u003eAUTH_ENABLED = False\u003c/code\u003e and \u003ccode\u003eAUTH_TOKEN = None\u003c/code\u003e, causing the \u003ccode\u003echeck_auth()\u003c/code\u003e function to always return \u003ccode\u003eTrue\u003c/code\u003e and effectively bypass authentication checks on \u003ccode\u003e/agents\u003c/code\u003e and \u003ccode\u003e/chat\u003c/code\u003e endpoints. The affected versions range from v2.5.6 to 4.6.33, which is the current PyPI release as of May 1, 2026. The \u003ccode\u003eserve agents\u003c/code\u003e command is not affected, but the older \u003ccode\u003eapi_server.py\u003c/code\u003e binds to 0.0.0.0:8080 by default, and the generated sample API deployment YAML recommends \u003ccode\u003ehost: 0.0.0.0\u003c/code\u003e together with \u003ccode\u003eauth_enabled: false\u003c/code\u003e, further exacerbating the issue. This vulnerability, identified as CVE-2026-44338, allows unauthenticated access to sensitive functionality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eTarget identifies a PraisonAI instance running the vulnerable legacy API server.\u003c/li\u003e\n\u003cli\u003eTarget sends a GET request to \u003ccode\u003e/agents\u003c/code\u003e endpoint to enumerate available agents.\u003c/li\u003e\n\u003cli\u003eThe API server, due to disabled authentication, grants access to the \u003ccode\u003e/agents\u003c/code\u003e endpoint without requiring any authentication credentials.\u003c/li\u003e\n\u003cli\u003eThe server responds with agent metadata, revealing the configured \u003ccode\u003eagents.yaml\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eTarget crafts a POST request to the \u003ccode\u003e/chat\u003c/code\u003e endpoint, including a \u003ccode\u003emessage\u003c/code\u003e key in the JSON payload.\u003c/li\u003e\n\u003cli\u003eThe API server processes the request, bypassing authentication, and executes the workflow defined in \u003ccode\u003eagents.yaml\u003c/code\u003e by calling \u003ccode\u003ePraisonAI(agent_file=\u0026quot;agents.yaml\u0026quot;).run()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe API server returns the result of the \u003ccode\u003ePraisonAI.run()\u003c/code\u003e call to the unauthenticated attacker.\u003c/li\u003e\n\u003cli\u003eDepending on the configuration specified in agents.yaml, this can result in data exfiltration, code execution, or denial of service via resource exhaustion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows any attacker with network access to the vulnerable PraisonAI instance to enumerate configured agents, trigger workflows defined in \u003ccode\u003eagents.yaml\u003c/code\u003e, consume model/API quota, and potentially expose sensitive information. The impact is determined by the capabilities defined in the \u003ccode\u003eagents.yaml\u003c/code\u003e file, but the authentication bypass itself is unconditional in the shipped legacy server. This vulnerability affects PraisonAI versions 2.5.6 through 4.6.33.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthenticated Access to PraisonAI Agents Endpoint\u0026rdquo; to detect unauthenticated access attempts to the \u003ccode\u003e/agents\u003c/code\u003e endpoint within your web server logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthenticated Chat Request to PraisonAI API Server\u0026rdquo; to identify unauthorized requests being made to the \u003ccode\u003e/chat\u003c/code\u003e endpoint to trigger workflow executions.\u003c/li\u003e\n\u003cli\u003eUpgrade PraisonAI to a version that addresses CVE-2026-44338 or migrate to the newer \u003ccode\u003eserve agents\u003c/code\u003e command which defaults to binding on localhost and supports API keys.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, ensure the legacy API server\u0026rsquo;s \u003ccode\u003eAUTH_ENABLED\u003c/code\u003e setting is set to \u003ccode\u003eTrue\u003c/code\u003e and configure a strong \u003ccode\u003eAUTH_TOKEN\u003c/code\u003e to mitigate the unauthenticated access vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and restrict network access to the legacy API server to minimize the attack surface and prevent unauthorized external access to the vulnerable endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T13:57:56Z","date_published":"2026-05-11T13:57:56Z","id":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-auth-bypass/","summary":"PraisonAI ships a legacy Flask API server with authentication disabled by default, allowing any reachable caller to access `/agents` and trigger the configured `agents.yaml` workflow through `/chat` without providing a token (CVE-2026-44338).","title":"PraisonAI Legacy API Server Authentication Bypass (CVE-2026-44338)","url":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-44338","version":"https://jsonfeed.org/version/1.1"}