PraisonAI Authentication Bypass: Default Setting Left AI Framework Exposed

Default Configuration in PraisonAI Flask Server

PraisonAI's legacy Flask implementation set AUTH_ENABLED=False across versions 2.5.6 to 4.6.33. This single flag removed all token validation from the API layer. Any network-reachable instance exposed the /agents endpoint, which returned the full contents of agents.yaml, and the /chat endpoint, which accepted unauthenticated POST requests to trigger configured agent workflows.

The absence of server-side token enforcement meant that standard HTTP clients could interact with the multi-agent framework exactly as an authorized user would. Model quota consumption, internal agent definitions, and execution logs became readable or modifiable without further checks.

Exploitation Path After Disclosure

Public CVE details appeared on 14 May 2026. Within four hours, automated scanners had already sent probing requests to known PraisonAI deployments. Because the vulnerable code path required no password, API key, or session cookie, each probe succeeded on the first attempt. Attackers enumerated available agents and submitted workflow triggers that consumed third-party model quotas or exfiltrated conversation context.

No secondary device or behavioral signal was present to interrupt the flow. The attack completed at the authorization stage itself, before any session was established.

Immediate Operational Impact

Organizations running unpatched PraisonAI instances faced direct model cost inflation and potential leakage of agent definitions that often contained internal system prompts or data sources. The framework's supply-chain position amplified the reach: any downstream application embedding PraisonAI inherited the same unauthenticated endpoints.

Patched version 4.6.34 introduced mandatory authentication on both endpoints, but the four-hour window between disclosure and active exploitation left little margin for reactive patching.

Device-Bound Public-Key Credentials as Prevention

Replacing default-disabled authentication with device-bound credentials eliminates the possibility of an AUTH_ENABLED toggle. Registration binds a private key to the specific hardware at onboarding. Subsequent authorization requests are signed locally and verified against the public key, removing any central flag that can be left false. The same-device flow requires no second factor delivery and covers the full lifecycle from device enrollment through decommissioning.

FAQ

How quickly did exploitation begin after CVE publication? Automated scanning started within approximately four hours of the advisory release.

Which endpoints were directly exposed? The /agents endpoint for configuration enumeration and the /chat endpoint for workflow execution required no authentication tokens.

What versions contained the vulnerable default setting? Versions 2.5.6 through 4.6.33 shipped with AUTH_ENABLED=False by default.

Does patching to 4.6.34 fully resolve the exposure? The update enforces authentication on the affected endpoints, closing the unauthenticated access path described in CVE-2026-44338.