PraisonAI Authentication Bypass CVE-2026-44338 Exploited
🔒 PraisonAI contained a critical authentication bypass (CVE-2026-44338) in its legacy Flask API server that sets AUTH_ENABLED = False and AUTH_TOKEN = None by default. Exploitation allows unauthenticated callers to enumerate configured agents via /agents and to trigger workflows through /chat, potentially consuming model quotas and exposing run results. The flaw affects versions 2.5.6–4.6.33 and was fixed in v4.6.34; operators are advised to update, audit deployments, and rotate exposed credentials.
