"When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. With authentication disabled, /agents returns the configured agent metadata, while /chat accepts any JSON body with a message key and executes the agents.yaml workflow, ignoring the message value."
"Within three hours and 44 minutes of the advisory becoming public, a scanner identifying itself as CVE-Detector/1.0 was probing the exact vulnerable endpoint on internet-exposed instances. The cybersecurity firm assesses that the observed activity was associated with a scanner, not interactive exploitation."
"Two passes ran eight minutes apart, each pushing approximately 70 requests in roughly 50 seconds. The first pass swept generic disclosure paths (/.env, /admin, /users/sign_in, /eval, /calculate, /Gemfile.lock). The second pass narrowed to AI-agent surfaces. The activity only targeted /agents, but did not send requests to /chat, suggesting that the attempt was focused on reconnaissance and validation."
"Enumerate the agent list, confirm the auth bypass works, log the host as exploitable, and move on. Follow-on tooling is typically separate. Achieving remote code execution (RCE) using this vulnerability, Sysdig explains, is not straightforward, as the un"
PraisonAI is a multi-agent framework for deploying autonomous AI agents to perform complex tasks. A vulnerability tracked as CVE-2026-44338 affects PraisonAI versions 2.5.6 through 4.6.33. The issue exists because those versions shipped with a legacy Flask API server that had authentication disabled by default. When the server is reachable, any caller can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. /agents returns agent metadata, and /chat accepts JSON with a message key and executes the workflow while ignoring the message value. Sysdig observed rapid probing of internet-exposed instances shortly after disclosure, consistent with scanning and reconnaissance rather than interactive exploitation. Sysdig notes that achieving remote code execution is not straightforward.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]