An automated scanner identified as CVE-Detector/1.0 began targeting exposed PraisonAI instances at 17:40:55 UTC on May 11, 2026—less than four hours after the initial security advisory was published. The probe confirmed an authentication bypass in the legacy Flask API server, granting access to preconfigured agentic workflows. This rapid exploitation highlights a growing trend: open-source autonomous agent ecosystems are being actively monitored. Attackers no longer require zero-days; a public CVE is enough to turn insecure defaults into a concrete operational risk. Key Takeaways Record Response Time: The first exploit attempt was recorded less than four hours after disclosure, with scanners successfully validating the bypass on exposed endpoints. Critical Vulnerability: The PraisonAI legacy API server hard-codes AUTH_ENABLED = False and AUTH_TOKEN = None, leaving the /agents and /chat endpoints accessible without credentials. Variable Impact: Unauthorized execution of workflows defined in agents.yaml can lead to LLM quota exhaustion, data exfiltration, or the activation of local tools, depending on the environment. Current Status: While no POST requests to /chat have been observed yet—suggesting a reconnaissance phase—a patch is now available in version 4.6.34. The Mechanics of the Legacy API Server Bypass The PraisonAI legacy API server, implemented in Flask, manages requests directed toward user-configured agents. In affected versions, authentication controls are disabled by default: the source code sets AUTH_ENABLED to False and AUTH_TOKEN to None, rendering header or session cookie verification obsolete. When a client sends a GET request to the /agents endpoint, the server responds with an HTTP 200 OK status and a JSON payload. This payload reveals the agent_file (typically agents.yaml) and a list of available agents. Furthermore, a POST method on /chat directly triggers PraisonAI(agent_file='agents.yaml').run() without sanitizing or filtering the content of the message field. Consequently, any actor able to reach the endpoint can trigger predefined workflows, regardless of the system owner's intent. The flaw affects versions 2.5.6 through 4.6.33 and has been assigned a CVSS v3.1 score of 7.3 (HIGH). The attack vector is network-based and requires no authentication, special privileges, or user interaction. The Timeline: CVE-Detector/1.0’s Four-Hour Sprint The advisory for CVE-2026-44338 went public at 13:56:16 UTC on May 11, 2026. By 17:40:55 UTC that same day, Sysdig’s threat intelligence platform recorded the first suspicious contact. The tool used the User-Agent CVE-Detector/1.0 and operated from IP address 146.190.133.49, located within the DigitalOcean network (AS14061) in the United States. The activity was highly structured, occurring in two distinct waves separated by an eight-minute interval. Each wave generated approximately seventy requests, a cadence indicative of an automated scanner rather than manual exploitation. The first sequence targeted generic paths to map the attack surface, while the second focused specifically on PraisonAI’s agent endpoints. This narrow window between disclosure and the first confirmed probe makes traditional patching cycles—whether weekly or even daily—functionally obsolete for defending such instances. "Within three hours and 44 minutes of the advisory becoming public, a scanner identifying itself as CVE-Detector/1.0 was probing the exact vulnerable endpoint on internet-exposed instances." — Sysdig Threat Research Team Assessing the Risk: Impact on Exposed Instances While this authentication bypass does not equate to traditional arbitrary remote code execution (RCE), the danger lies in the framework’s design. The /chat endpoint acts as a trigger for workflows that operators have built to perform specific tasks. Without an authentication barrier, anyone reaching the server inherits the permissions of those workflows. Sysdig identified several production risks, including the unauthorized consumption of LLM API quotas, which can lead to unpredictable costs for the system owner. Additionally, unauthorized actors could trigger agent tools configured in agents.yaml, which may include code interpreters, shell access, or file I/O operations. Information disclosure is another concern: the response to GET /agents exposes the internal structure of the agents and the configuration file path, providing valuable intelligence for follow-up attacks. Currently, the lack of observed POST requests to /chat suggests the threat actors are in a reconnaissance and validation phase rather than an interactive exploitation phase. However, the ultimate objective of the operators behind IP 146.190.133.49 remains unknown, as does the total number of compromised or exposed instances. While there is no definitive proof that this specific scanner utilized AI-generated tooling, researchers note a broader trend of rapid automation within the AI security ecosystem. Why the AI-Agent Ecosystem is...