Summary CVE-2026-44338 (GHSA-6rmh-7xcm-cpxj) documents that PraisonAI ships a code-generator ("praisonai.deploy.api.generate_api_server_code") that emits a Flask API server with authentication disabled by default. Users who follow the documented quickstart ("praisonai deploy --type api") get a server that: - binds to "0.0.0.0" per the recommended sample YAML - exposes "/chat" and "/agents" endpoints - runs "praisonai.run()" on user-supplied JSON input — LLM orchestration with the API key materials present in the process environment - does not require any authentication The PyPI wheel "praisonai==4.6.33" (current "@latest") still ships the generator with "auth_enabled" defaulting to "False". The fix shape is opt-in via "APIConfig(auth_enabled=True, auth_token=...)". Details Anchor (file:line:symbol) - Vulnerable artifact: "praisonai==4.6.33" on PyPI. - Defaults: "praisonai/deploy/models.py:29" — "auth_enabled: bool = Field(default=False, ...)"; "praisonai/deploy/models.py:30" — "auth_token: Optional[str] = Field(default=None, ...)". - Generator: "praisonai/deploy/api.py:40" — "AUTH_ENABLED = {config.auth_enabled}"; "api.py:41" — "AUTH_TOKEN = {repr(config.auth_token)}"; "api.py:43-49" — "def check_auth(): if not AUTH_ENABLED: return True". - CLI entry: documented as "praisonai deploy --type api" (vendor README); produces the generator output above with no flag required to suppress the warning, because no warning is emitted. Vulnerable code (verbatim from installed wheel) praisonai/deploy/models.py (praisonai==4.6.33) class APIConfig(BaseModel): host: str = Field(default="127.0.0.1", description="Server host") port: int = Field(default=8005, description="Server port") cors_enabled: bool = Field(default=True, description="Enable CORS") auth_enabled: bool = Field(default=False, description="Enable authentication") # line 29 auth_token: Optional[str] = Field(default=None, description="Authentication token") # line 30 praisonai/deploy/api.py (praisonai==4.6.33) code = f'''... Authentication AUTH_ENABLED = {config.auth_enabled} # False by default AUTH_TOKEN = {repr(config.auth_token)} # None by default def check_auth(): if not AUTH_ENABLED: return True # short-circuit, accept all token = request.headers.get('Authorization', '').replace('Bearer ', '') return token == AUTH_TOKEN ... ''' A default invocation of the deploy command emits a server whose "check_auth()" short-circuits to "True" and accepts unauthenticated "/chat", "/agents" POSTs. PoC #!/usr/bin/env python3 """ legend-c420 PoC - PraisonAI 4.6.33 generates Flask API server with auth disabled by default. Class H sibling of CVE-2026-44338. Phase 1: reflect on praisonai.deploy.models.APIConfig defaults. Phase 2: call generate_api_server_code(default config) and assert the emitted source contains AUTH_ENABLED = False and the short-circuit return. Phase 3: re-run with auth_enabled=True, auth_token='s3cret-bearer-value' and confirm the emitted source flips to the secure shape. Exit code 0 = PASS = vulnerable defaults confirmed. """ import sys, traceback def phase1_dataclass_defaults(): print("PHASE 1 - praisonai.deploy.models.APIConfig default values") from praisonai.deploy.models import APIConfig cfg = APIConfig() checks = [ ("auth_enabled", cfg.auth_enabled, False), ("auth_token", cfg.auth_token, None), ] for name, observed, expected in checks: ok = observed == expected mark = "VULNERABLE" if name in ("auth_enabled","auth_token") and ok else "ok" print(f" {name:14s} = {observed!r:18s} (expected {expected!r}) [{mark}]") assert ok print(" >> APIConfig defaults reproduce the CVE-2026-44338 shape.") def phase2_default_generator_emits_unauth(): print("PHASE 2 - generate_api_server_code(default config) emits unauth server") from praisonai.deploy.models import APIConfig from praisonai.deploy.api import generate_api_server_code src = generate_api_server_code("agents.yaml", config=APIConfig()) for needle in ["AUTH_ENABLED = False","AUTH_TOKEN = None","if not AUTH_ENABLED:","return True"]: assert needle in src, f"missing: {needle!r}" print(f" [FOUND] {needle!r}") print(" >> Default-config generator emits Flask server with check_auth() short-circuit.") def phase3_fix_shape_available(): print("PHASE 3 - auth_enabled=True flips to secure shape") from praisonai.deploy.models import APIConfig from praisonai.deploy.api import generate_api_server_code cfg = APIConfig(auth_enabled=True, auth_token="s3cret-bearer-value") src = generate_api_server_code("agents.yaml", config=cfg) assert "AUTH_ENABLED = True" in src assert "AUTH_ENABLED = False" not in src print(" >> Fix shape works when toggled. Class H confirmed: default is insecure.") def main(): print("=" * 64) print("legend-c420 PoC - PraisonAI default-config AUTH_ENABLED=False") print("=" * 64) try: phase1_dataclass_defaults() phase2_default_generator_emits_unauth() phase3_fix_shape_available() except Exception: traceback.print_exc() print("FAIL"); sys.exit(2) print("PASS 3/3 phases. EXIT 0.") sys.exit(0) if name == "main": main() PoC dependencies: "praisonai==4.6.33" from PyPI. Tested on Python 3.11. Run log verdict: "PASS 3/3 phases. EXIT 0." — vulnerable-default shape confirmed. "auth_enabled=False" by default, "check_auth()" short-circuits to "True", fix toggle exists but is opt-in. Impact An operator who runs the vendor-documented quickstart ("pip install praisonai && praisonai deploy --type api") gets a network-reachable Flask server that invokes "praisonai.run()" on attacker-supplied JSON with the user's LLM API keys in the process environment. The attacker reaches arbitrary LLM-orchestration (including any tool-use the agents define, which in PraisonAI commonly includes "python_repl", "bash", file I/O, and HTTP calls), with the host's API-key credit billed to the operator. - Belief: CVE-2026-44338 was filed and triaged. - Reality: "praisonai==4.6.33" is current "@latest" on PyPI (2026-05-16). The generator still defaults to "auth_enabled=False". - Gap: The CVE acknowledges the fix shape exists. The fix is opt-in. The default-config consumer remains vulnerable. Parent CVE: CVE-2026-44338 / GHSA-6rmh-7xcm-cpxj