Vulnerability Details
A critical authentication bypass vulnerability has been discovered in PraisonAI, an open-source framework used for orchestrating multiple AI agents. The flaw exists in the legacy Flask API server component, where authentication is hard coded to be disabled by default. This means any network caller reaching the API can access agent configurations and trigger workflows without providing a token.
The vulnerable code in the api_server.py file sets AUTH_ENABLED to False and AUTH_TOKEN to None, leaving endpoints like /agents and /chat exposed. An attacker can enumerate configured agent files, trigger the agents.yaml workflow repeatedly to consume API quotas, and access results from the main run function. All Python package versions from 2.5.6 through 4.6.33 are affected, with the fix arriving in version 4.6.34.
Rapid Exploitation Timeline
Security researchers observed that threat actors began targeting the vulnerability within hours of the public advisory. A scanner identifying itself as CVE-Detector/1.0 probed internet exposed instances of the vulnerable endpoint just three hours and 44 minutes after the advisory was released. This rapid response highlights the importance of immediate patching for organizations using this framework.
Sysdig, the cloud security company tracking these attacks, confirmed that the first targeted reconnaissance occurred shortly after disclosure. Organizations running PraisonAI instances should verify they are on version 4.6.34 or later and ensure the legacy Flask API server is not exposed to untrusted networks.
Source: The Hacker News
