Share
## https://sploitus.com/exploit?id=5C9F040D-4B80-54FA-ACFB-3DEFEE20F072
# CVE-2026-44338 PraisonAI Authentication Bypass Lab

Local Docker lab for CVE-2026-44338, an authentication bypass in PraisonAI's legacy Flask API server.

This lab demonstrates the unauthenticated access condition on the legacy API routes. It intentionally uses a safe route-level reproduction instead of a full PraisonAI deployment, so the proof stays focused on the authentication flaw and does not trigger real agent workflows or external LLM calls.

## Summary

CVE-2026-44338 affects PraisonAI versions `>= 2.5.6` and ` auth disabled by default, unauthenticated requests return 200
patched -> auth required by default, unauthenticated requests return 401
```

## Lab Design

The lab contains two local services:

| Service   | URL                     | Behavior                                      |
| --------- | ----------------------- | --------------------------------------------- |
| `vuln`    | `http://127.0.0.1:8081` | Reproduces vulnerable fail-open auth behavior |
| `patched` | `http://127.0.0.1:8082` | Requires bearer-token authentication          |

Both services are bound to `127.0.0.1` only.

The `/chat` route uses a dummy runner instead of a real PraisonAI workflow. This provides observable proof that the unauthenticated request reaches the workflow trigger path without causing external side effects.

## Repository Structure

```text
.
โ”œโ”€โ”€ docker-compose.yml
โ”œโ”€โ”€ vuln
โ”‚   โ”œโ”€โ”€ Dockerfile
โ”‚   โ””โ”€โ”€ start_server.py
โ”œโ”€โ”€ patched
โ”‚   โ”œโ”€โ”€ Dockerfile
โ”‚   โ””โ”€โ”€ start_server.py
โ”œโ”€โ”€ poc
โ”‚   โ””โ”€โ”€ poc.py
โ””โ”€โ”€ .gitignore
โ””โ”€โ”€ README.md
```

## Run

```bash
docker compose up --build -d
python3 poc/poc.py
```

## Expected Result

The vulnerable service allows unauthenticated access:

```text
=== vuln ===
[unauthenticated] GET /agents
status: 200

[unauthenticated] POST /chat
status: 200

verdict: LIKELY_VULNERABLE
```

The patched service blocks unauthenticated access:

```text
=== patched ===
[unauthenticated] GET /agents
status: 401

[unauthenticated] POST /chat
status: 401

verdict: NOT_VULNERABLE_OR_PROTECTED
```

Final expected summary:

```text
vuln:    LIKELY_VULNERABLE
patched: NOT_VULNERABLE_OR_PROTECTED
```

## Manual Verification

Check the vulnerable route:

```bash
curl -i http://127.0.0.1:8081/agents
```

Expected vulnerable response:

```text
HTTP/1.1 200 OK
```

Check the patched route:

```bash
curl -i http://127.0.0.1:8082/agents
```

Expected patched response:

```text
HTTP/1.1 401 UNAUTHORIZED
```

Server logs should show the difference clearly:

```text
vuln:    "GET /agents HTTP/1.1" 200
patched: "GET /agents HTTP/1.1" 401
```

## Cleanup

```bash
docker compose down -v
```

## Safety Notes

This lab is intended for local security research only.

The PoC does not:

* execute shell commands
* use real API keys
* call external LLM providers
* scan external networks
* trigger real PraisonAI agent workflows

## References

* GitHub Advisory: GHSA-6rmh-7xcm-cpxj
  [https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6rmh-7xcm-cpxj](https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6rmh-7xcm-cpxj)

* NVD: CVE-2026-44338
  [https://nvd.nist.gov/vuln/detail/CVE-2026-44338](https://nvd.nist.gov/vuln/detail/CVE-2026-44338)

* OSV: GHSA-6rmh-7xcm-cpxj
  [https://osv.dev/vulnerability/GHSA-6rmh-7xcm-cpxj](https://osv.dev/vulnerability/GHSA-6rmh-7xcm-cpxj)

* Vulnerable source: PraisonAI `v4.6.33` `src/praisonai/api_server.py`
  [https://raw.githubusercontent.com/MervinPraison/PraisonAI/v4.6.33/src/praisonai/api_server.py](https://raw.githubusercontent.com/MervinPraison/PraisonAI/v4.6.33/src/praisonai/api_server.py)

* Patched source: PraisonAI `v4.6.34` `src/praisonai/api_server.py`
  [https://raw.githubusercontent.com/MervinPraison/PraisonAI/v4.6.34/src/praisonai/api_server.py](https://raw.githubusercontent.com/MervinPraison/PraisonAI/v4.6.34/src/praisonai/api_server.py)