CVE-2026-44338 is an authentication bypass vulnerability in PraisonAI's legacy Flask API server, present in versions 2.5.6 through 4.6.33. The server had authentication disabled by default, allowing any unauthenticated user who can reach the server to access the /agents endpoint and trigger workflows via /chat without providing a token. Exploitation attempts were observed within four hours of public disclosure, focusing on reconnaissance rather than active exploitation. The vulnerability does not directly enable arbitrary code execution but allows triggering of workflows that may interact with various AI providers and tools, potentially leading to impactful actions depending on the workflow configuration. The issue was resolved in version 4.6.34.

The vulnerability allows unauthenticated attackers to access agent metadata and trigger configured workflows remotely without authentication. Although it does not directly permit arbitrary code execution, the potential impact depends on what the workflows are configured to do, which may include calling AI services, executing code interpreters, or accessing file systems. Early exploitation attempts were limited to reconnaissance, indicating attackers were validating the vulnerability before potentially developing further exploit tools. The rapid scanning activity highlights the reduced window for detection and response following public disclosure.

A fix for this vulnerability is available in PraisonAI version 4.6.34. Organizations using affected versions should update to this version as soon as possible to remediate the authentication bypass. Since this is not a cloud service, patching the deployed instances is required. Monitoring for unusual access to the /agents and /chat endpoints may help detect exploitation attempts, but patching remains the primary mitigation.