PrisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure
Threat actors have been spotted trying to exploit recently disclosed security vulnerabilities PrisonAIopen source multi-agent orchestration framework, within four hours of public disclosure.
The vulnerability in question is CVE-2026-44338 (CVSS score: 7.3), a no-authentication condition that exposes sensitive endpoints to anyone, which could allow an attacker to request protected API server functionality without a token.
“PrisonAI is deploying a legacy Flask API server that has been certified to be disabled by default,” according to an advisory issued by maintainers earlier this month. “When that server is deployed, any caller with access to it can access /agents and trigger the configured agents.yaml workflow by using /in the conversation without providing a token.”
Specifically, the Flask-based API server, src/praisonai/api_server.py, hardcodes AUTH_ENABLED = False and AUTH_TOKEN = None. According to PrisonAI, successful exploitation of the flaw can have various effects, including –
- Unauthorized enumeration of the default agent file by use/agents
- Unauthorized triggering of locally configured workflow “agents.yaml” via /dialog
- Repeated usage of model/API quota, and
- Displaying the results of PrisonAI.run() for an unauthorized caller
“The impact, therefore, depends on what the user agent.yaml is allowed to do, but the authentication pass is unconditional on the deployed legacy server,” PraisonAI said.
The vulnerability affects all Python package versions from 2.5.6 to 4.6.33. Patched in version 4.6.34. Security researcher Shmulik Cohen is credited with discovering and reporting the bug.
In a report published by Sysdig this week, the cloud security company said it had seen attempts to exploit the flaw within hours of it becoming known to the public.
“Within three hours and 44 minutes of the advisory becoming public, a scanner that describes itself as CVE-Detector/1.0 was scanning the most vulnerable area of the situation exposed on the Internet,” he said. “The advice has been published [on May 11, 2026,] at 13:56 UTC. The first target request came at 17:40 UTC the same day.”
The activity, according to Sysdig, originates from the IP address 146.190.133[.]49 and followed by a stacked scanner profile that made two passes eight minutes apart, each pass pushing about 70 requests in about 50 seconds.
While the first pass checked the standard disclosure methods (/.env, /admin, /users/sign_in, /eval, /calculate, /Gemfile.lock), the second pass specifically selected AI-agent environments, including PrisonAI.
“The probes directly associated with CVE-2026-44338 were GET / single agents with no authorization header and User-Agent CVE-Detector/1.0,” Sysdig said. “That request returns 200 OK with body {“agent_file”:”agents.yaml”,”agents”:[…]}, to ensure that the pass was successful.”
The scanner was not found to send any SEND request to the “/chat” endpoint during any pass, indicating that the operation is consistent with the initial check to determine if the auth bypass is active and to verify if the host is exploitable with CVE-2026-44338.
The rapid exploitation of PrisonAI is the latest example of a wider trend in which threat actors are increasingly exploiting newly disclosed flaws in their military environment before they are patched. Users are advised to apply the latest fixes as soon as possible, check existing implementations, review model provider billing for any suspicious activity, and rotate the information specified in “agents.yaml.”
“Enemy tools have reached the entire AI and agent ecosystem — regardless of size, and not just household names — and the operational assumption for any project deploying unauthorized automation should be that the window between exposure and effective exploitation is measured in single-digit hours,” Sysdig said.
