PraisonAI Got a CVE on May 14. The First Targeted Exploit Hit in 3 Hours, 44 Minutes. Self-Hosted Agent Frameworks Just Moved Up a Threat-Model Tier.
CVE-2026-44338 is a missing-authentication flaw in the PraisonAI agent framework where the legacy Flask API server ships with AUTH_ENABLED hardcoded to False. The interesting number isn't the CVSS 7.3. It's the time from disclosure to first GET /agents probe in the wild.