▸ SECURE CONNECTION ▸ LATENCY: 4.2ms ▸ AGENTS: 17,432 ▸ THREAT LEVEL: NOMINAL
ROGUE TERMINAL v1.0 ESC to close
← Back to blog
May 18, 2026 by Rogue Security Research
agentic-securityorchestrationCVEruntime-securityOWASPidentitycontrol-plane

Auth Disabled by Default: Why Agent Orchestrators Became Your New Control Plane

Security incident pattern - orchestration endpoints

Auth disabled by default is not a misconfiguration - it is a control-plane bug.

CVE-2026-44338 in PraisonAI was exploited within hours because a legacy agent API shipped with authentication disabled. The uncomfortable part: the real impact is defined by what your agents.yaml is allowed to do.

CVE-2026-44338
Missing authentication
3h 44m
First observed probing
/agents
Config enumeration
/chat
Workflow execution
Executive summary

An agent orchestrator is not an internal dev tool once it can trigger workflows. Treat its API surface like a production control plane: authenticated, authorized, isolated, rate limited, and fully audited. If an endpoint can cause tool calls, it is a capability boundary.

What happened (simplified)

PraisonAI is an open-source multi-agent orchestration framework. A legacy Flask API server shipped with authentication disabled by default. That made two endpoints effectively public to anyone who could reach the server:

  • GET /agents - enumerate configured agents and the agent file
  • POST /chat - trigger the locally configured agents.yaml workflow

Sysdig reported observing probing activity within hours of disclosure. The maintainer advisory states the issue affected versions 2.5.6 through 4.6.33 and was patched in 4.6.34.

Why defenders should care

This is not just “unauthenticated data exposure”. In an agentic system, configuration often implies permissions. If agents.yaml can access SaaS APIs, internal services, tickets, code, or credentials, the orchestrator endpoint becomes a remote trigger for those capabilities.

The control plane inversion: why this keeps happening

Security teams are used to a stable hierarchy:

  • App server - serves data
  • Worker - runs jobs
  • Admin plane - protected, rarely exposed

Agentic stacks invert this. Orchestration endpoints (framework APIs, tool routers, agent gateways) are now the admin plane. They look like developer conveniences, but they own the keys:

  • Which tools exist
  • Which credentials can be used
  • Which data sources are reachable
  • Which actions are allowed to run without human confirmation

When that surface ships with permissive defaults, you do not get a “bug”. You get an always-on remote operations channel.

Attack flow: from unauthenticated request to real-world action
[ATK]
External caller reaches an internet-exposed orchestrator endpoint
->
[API]
GET /agents returns agent config and workflow metadata
->
[API]
POST /chat triggers agents.yaml actions without an auth token
->
[SRV]
Agent calls tools: SaaS APIs, internal services, code, tickets, cloud, RPA
->
[DEF]
Mitigation: isolate, authenticate, authorize per tool, log every step

”But we only run it internally” is not a defense

Internal only is a routing property, not a security control. Orchestrators become reachable through:

  • Developer tunnels and preview environments
  • Shared VPCs and flat networks
  • CI runners that can reach internal services
  • Compromised developer endpoints
  • Misconfigured ingress, load balancers, or security groups

Once reachable, missing authentication collapses the entire trust boundary.

A simple test: does the endpoint create side effects?

If an endpoint can cause side effects, treat it like a privileged API. This is the difference between “read-only” exposure and a real incident class.

Question
If the answer is yes
Then it is
Can a request trigger tool calls?
Even indirectly via agent planning
A capability boundary (OWASP ASI02, ASI05)
Does configuration imply permissions?
Workflows often include credentials and scopes
An identity boundary (OWASP ASI03)
Can it run unattended or on schedule?
No human confirmation gates the action
An automation plane that needs circuit breakers (OWASP ASI10)

What security teams should do this week

Monday-morning hardening checklist
  • Inventory orchestrators: framework APIs, agent gateways, workflow engines, internal “agent routers”. Do not forget legacy servers.
  • Network isolate by default: private subnets, no public ingress, explicit egress control.
  • Require auth and mTLS: treat “no token” as a defect, not a convenience.
  • Authorize at the tool boundary: per-tool allowlists, per-scope policies, and explicit denial for unknown tools.
  • Rate limit and budget: per-identity quotas for model calls and tool calls, with alerting on spikes.
  • Turn config into code: signed workflow definitions, change review, and immutable deployment artifacts.
  • Audit for side effects: log who triggered a workflow, what tools were called, what data left, and what changed.
  • Test the failure mode: assume compromise and rehearse rollback, revocation, and containment.

Mapping to OWASP Agentic Top 10 (2026)

This incident pattern touches multiple OWASP Agentic Top 10 categories:

  • ASI03 - Identity and privilege abuse: config becomes a proxy for permissions
  • ASI02 - Tool misuse and exploitation: /chat is effectively a tool trigger
  • ASI05 - Unexpected code execution: workflows often include code execution or high privilege actions
  • ASI10 - Rogue agents: unattended execution without controls or a kill switch turns simple bugs into incidents

References

  • TheHackerNews coverage of exploitation timeline (Sysdig observations)
  • GitHub advisory: GHSA-6rmh-7xcm-cpxj
  • NVD entry for CVE-2026-44338

Rogue Security publishes practical analysis of real agentic AI failures, mapped to OWASP Agentic Top 10 (2026). If you are building or defending agentic systems, you can browse more research at rogue.security.