CVE-2026-44338 - Vulnerability Analysis
HighCVSS: 7.3Last Updated: May 8, 2026
PraisonAI - Authentication Bypass
Published: May 8, 2026Updated: May 8, 2026PoC AvailableRemote Exploitable
Overview
PraisonAI 2.5.6 to <4.6.34 contains a broken authentication caused by disabled default authentication in legacy Flask API server, letting remote attackers access /agents and trigger workflows without token, exploit requires network access to API server.
Severity & Score
Severity: High
CVSS Score: 7.3
Impact
Remote attackers can access and trigger agent workflows without authentication, potentially leading to unauthorized actions or data exposure.
Mitigation
Upgrade to version 4.6.34 or later.
Related Resources
Details
- CVE ID
- CVE-2026-44338
- Severity
- High
- CVSS Score
- 7.3
- Type
- broken_authentication
- Status
- confirmed
CWE
- CWE-306
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L