The tragicomic history of the popular AI platform, which has forgotten about authorization.
Hackers began searching for vulnerable PraisonAI servers less than four hours after the publication of security information. An automatic scanner called CVE-Detector/1.0 attacked the open specimens of the platform almost immediately after the release of the warning, and Sysdig experts already call a similar speed of the new norm for attacks on projects with artificial intelligence.
The problem was discovered in PraisonAI, an open platform for controlling AI agents with more than 7 thousand stars on GitHub. The vulnerability was received by the identifier CVE-2026-44338. The danger was hidden in the old server module api_server.py, where the developers by default disable the authentication. Because of this setup, any user could access two secure routes without access token.
The first request for a Vulnerable Path came 3 hours 44 minutes after the publication of the GitHub Warning. First, the scanner checked the standard files and control panels like /.env and /admin, and then switched to routes associated with Praisonai. Among them were /agents, /aagents and /api/tasks.
GitHub released a warning on May 11, 2026 at 13:56 World time. Already at 17:40, Sysdig specialists recorded a request from GET /agents from the IP address 146.190.133.49 with the head of User-Agent: CVE-Detector/1.0. The server responded with code 200 OK and disclosed data on the configuration of agents, confirming the successful operation of the vulnerability.
The danger of CVE-2026-44338 is not so much related to the remote execution of the code, but with the ability to start the workflows of AI agents without authorization. The POST /chat request activates the script written in the agent.yaml file, regardless of the content of the message. If the administrator has set up access to the command line, file system, network requests or third-party services to agents, the attacker gets the opportunity to run all these actions remotely.
Sysdig reports that such attacks are already becoming massive. Previously, similar activity was recorded after the publication of vulnerabilities in Marimo, LMDeploy and Langflow. Experts associate the increase in the speed of attacks using artificial intelligence, which helps attackers quickly analyze fixes, find the cause of the error and generate working exploits in minutes.
Vulnerable were the versions of Praison AI from 2.5.6 to 4.6.33 inclusive. The correction was released in version 4.6.34. At the time of publication of the warning in the PyPI repository, the latest version of the available version remained exactly 4.6.33, so all the current installations of the platform remained open for attacks.
During the scan, the attackers also checked the files pyproject.toml, poetry.lock and praisonai/version.txt to determine the installed version of the platform. In addition, the attackers searched for routes related to MCP servers and internal AI-agent instruments.
Sysdig recommends urgently updating PraisonAI at least to version 4.6.34, refuse the old api_server.py and not to publish port 8080 on the Internet. Server owners are also advised to check the logs for the presence of User-Agent CVE-Detector/1.0, change the accounts specified in the agents.yaml, and analyze the costs of OpenAI, Anthropic and other AI-model providers after May 11, 2026.
Hackers began searching for vulnerable PraisonAI servers less than four hours after the publication of security information. An automatic scanner called CVE-Detector/1.0 attacked the open specimens of the platform almost immediately after the release of the warning, and Sysdig experts already call a similar speed of the new norm for attacks on projects with artificial intelligence.
The problem was discovered in PraisonAI, an open platform for controlling AI agents with more than 7 thousand stars on GitHub. The vulnerability was received by the identifier CVE-2026-44338. The danger was hidden in the old server module api_server.py, where the developers by default disable the authentication. Because of this setup, any user could access two secure routes without access token.
The first request for a Vulnerable Path came 3 hours 44 minutes after the publication of the GitHub Warning. First, the scanner checked the standard files and control panels like /.env and /admin, and then switched to routes associated with Praisonai. Among them were /agents, /aagents and /api/tasks.
GitHub released a warning on May 11, 2026 at 13:56 World time. Already at 17:40, Sysdig specialists recorded a request from GET /agents from the IP address 146.190.133.49 with the head of User-Agent: CVE-Detector/1.0. The server responded with code 200 OK and disclosed data on the configuration of agents, confirming the successful operation of the vulnerability.
The danger of CVE-2026-44338 is not so much related to the remote execution of the code, but with the ability to start the workflows of AI agents without authorization. The POST /chat request activates the script written in the agent.yaml file, regardless of the content of the message. If the administrator has set up access to the command line, file system, network requests or third-party services to agents, the attacker gets the opportunity to run all these actions remotely.
Sysdig reports that such attacks are already becoming massive. Previously, similar activity was recorded after the publication of vulnerabilities in Marimo, LMDeploy and Langflow. Experts associate the increase in the speed of attacks using artificial intelligence, which helps attackers quickly analyze fixes, find the cause of the error and generate working exploits in minutes.
Vulnerable were the versions of Praison AI from 2.5.6 to 4.6.33 inclusive. The correction was released in version 4.6.34. At the time of publication of the warning in the PyPI repository, the latest version of the available version remained exactly 4.6.33, so all the current installations of the platform remained open for attacks.
During the scan, the attackers also checked the files pyproject.toml, poetry.lock and praisonai/version.txt to determine the installed version of the platform. In addition, the attackers searched for routes related to MCP servers and internal AI-agent instruments.
Sysdig recommends urgently updating PraisonAI at least to version 4.6.34, refuse the old api_server.py and not to publish port 8080 on the Internet. Server owners are also advised to check the logs for the presence of User-Agent CVE-Detector/1.0, change the accounts specified in the agents.yaml, and analyze the costs of OpenAI, Anthropic and other AI-model providers after May 11, 2026.
