Critical Pre-Auth Flaw CVE-2026-44338 Exploited to Hijack Autonomous AI Agents

Adversaries initiated a targeted reconnaissance campaign against vulnerable PraisonAI nodes less than four hours following the public disclosure of a critical security defect. An automated scanning entity identifying as CVE-Detector/1.0 launched offensives against exposed instances of the platform almost immediately after the warning materialized, a velocity that threat intelligence analysts at Sysdig characterize as the contemporary paradigm for incursions against artificial intelligence frameworks.

The architectural vulnerability was unearthed within PraisonAI, an open-source orchestrator for autonomous AI agents boasting upwards of 7,000 stars on GitHub. The flaw has been assigned the identifier CVE-2026-44338. The security deficit resided within a legacy server component, api_server.py, wherein developers had explicitly deactivated authentication mechanisms by default. Due to this structural configuration, any unauthenticated actor could query two restricted endpoint routes absent a valid bearer token.

The inaugural request targeting the compromised pathways materialized precisely three hours and forty-four minutes post-disclosure on GitHub. The scanning mechanism initially enumerated conventional configuration files and administrative portals—such as /.env and /admin—before pivoting its focus to routes explicitly linked to the PraisonAI framework, critically including /agents, /api/agents, and /api/tasks.

GitHub promulgated the security advisory on May 11, 2026, at 13:56 UTC. By 17:40 UTC, Sysdig’s telemetry captured an inbound GET /agents request originating from the IP address 146.190.133.49, communicating via the User-Agent: CVE-Detector/1.0 header. The host server adjudicated the request with a 200 OK status, relinquishing granular agent configuration metadata and validating successful exploitation of the defect.

The primary threat profile of CVE-2026-44338 centers less on traditional arbitrary code execution and more on the unauthorized invocation of autonomous agent workflows. A malicious POST /chat request triggers the execution logic delineated within the host’s agents.yaml blueprint, irrespective of the transmission’s message payload. Should the system administrator have provisioned these agents with low-level privileges—such as command-line execution, file system modification, network socket requests, or integration with external APIs—an interloper effectively gains remote mastery over those identical capabilites.

Sysdig reports that these opportunistic campaigns are escalating into widespread events. Analogous high-velocity scanning was previously documented following the disclosure of design flaws within Marimo, LMDeploy, and Langflow. Analysts attribute this accelerated threat lifecycle to the adversaries’ own integration of artificial intelligence, leveraging specialized models to rapidly parse code patches, isolate root-cause errors, and synthesize weaponized exploits within minutes.

The vulnerability compromises PraisonAI versions spanning 2.5.6 through 4.6.33 inclusively, with a definitive remediation introduced in version 4.6.34. Crucially, at the juncture of the advisory’s publication, the maximum available release hosted on the PyPI package repository was version 4.6.33, rendering the entirety of active production deployments temporarily defenseless against immediate exploitation.

During the reconnaissance phase, the scanning assets also probed for configuration manifests, including pyproject.toml, poetry.lock, and praisonai/version.txt, to accurately fingerprint the running software iteration. Furthermore, the threat actors actively hunted for pathways associated with Model Context Protocol (MCP) daemons and internal tool repositories utilized by the underlying AI agents.

Sysdig strongly implores administrators to upgrade PraisonAI installations to version 4.6.34 or later, deprecate the use of the legacy api_server.py module, and cease exposing port 8080 directly to the public internet. Furthermore, server administrators are advised to audit access logs for the CVE-Detector/1.0 user-agent string, rotate all operational keys enumerated within agents.yaml, and perform a rigorous billing audit of API consumption tokens for OpenAI, Anthropic, and corollary foundation model vendors following May 11, 2026.