Vulnerability-Lookup

CVE-2026-41496 (GCVE-0-2026-41496)

Vulnerability from cvelistv5 – Published: 2026-05-08 13:19 – Updated: 2026-05-08 23:18

Title

PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)

Summary

PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

Tags

https://github.com/MervinPraison/PraisonAI/securi…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	MervinPraison	PraisonAI	Affected: praisonaiagents < 1.6.9 Affected: praisonai < 4.6.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41496",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T23:17:23.691346Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T23:18:11.328Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PraisonAI",
          "vendor": "MervinPraison",
          "versions": [
            {
              "status": "affected",
              "version": "praisonaiagents \u003c 1.6.9"
            },
            {
              "status": "affected",
              "version": "praisonai \u003c 4.6.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends \u2014 MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB \u2014 pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T13:19:10.753Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5"
        }
      ],
      "source": {
        "advisory": "GHSA-rg3h-x3jw-7jm5",
        "discovery": "UNKNOWN"
      },
      "title": "PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41496",
    "datePublished": "2026-05-08T13:19:10.753Z",
    "dateReserved": "2026-04-20T16:14:19.009Z",
    "dateUpdated": "2026-05-08T23:18:11.328Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-41496",
      "date": "2026-05-09",
      "epss": "0.00012",
      "percentile": "0.01813"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41496\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-08T14:16:33.693\",\"lastModified\":\"2026-05-09T00:16:27.707\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends \u2014 MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB \u2014 pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.6.9\",\"matchCriteriaId\":\"926F2340-8373-45E8-8F68-EDB9E771A52E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"1.6.9\",\"matchCriteriaId\":\"CE98749C-A5F2-4D34-9CBA-87CA20237D1E\"}]}]}],\"references\":[{\"url\":\"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41496\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-08T23:17:23.691346Z\"}}}], \"references\": [{\"url\": \"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-08T23:18:03.585Z\"}}], \"cna\": {\"title\": \"PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)\", \"source\": {\"advisory\": \"GHSA-rg3h-x3jw-7jm5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"MervinPraison\", \"product\": \"PraisonAI\", \"versions\": [{\"status\": \"affected\", \"version\": \"praisonaiagents \u003c 1.6.9\"}, {\"status\": \"affected\", \"version\": \"praisonai \u003c 4.6.9\"}]}], \"references\": [{\"url\": \"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5\", \"name\": \"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends \\u2014 MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB \\u2014 pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-08T13:19:10.753Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-41496\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-08T23:18:11.328Z\", \"dateReserved\": \"2026-04-20T16:14:19.009Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-08T13:19:10.753Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-41496

Vulnerability from fkie_nvd - Published: 2026-05-08 14:16 - Updated: 2026-05-09 00:16

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5	Exploit, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	praison	praisonai	*
	praison	praisonaiagents	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "926F2340-8373-45E8-8F68-EDB9E771A52E",
              "versionEndExcluding": "4.6.9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "CE98749C-A5F2-4D34-9CBA-87CA20237D1E",
              "versionEndExcluding": "1.6.9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends \u2014 MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB \u2014 pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9."
    }
  ],
  "id": "CVE-2026-41496",
  "lastModified": "2026-05-09T00:16:27.707",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-08T14:16:33.693",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-RG3H-X3JW-7JM5

Vulnerability from github – Published: 2026-04-17 22:24 – Updated: 2026-04-27 16:34

Summary

PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)

Details

The fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase.

postgres.py additionally accepts an unvalidated schema parameter used directly in DDL.

Severity

High — CWE-89 (SQL Injection)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N — 8.1

Exploitable in any deployment where table_prefix is derived from external input (multi-tenant setups, API-driven configuration, user-modifiable config files). Default config ("praison_") is not affected.

Details

The CVE-2026-40315 fix added this guard to sqlite.py:52:

# sqlite.py — PATCHED
import re
if not re.match(r'^[a-zA-Z0-9_]*$', table_prefix):
    raise ValueError("table_prefix must contain only alphanumeric characters and underscores")

The following backends perform the identical table_prefix → f-string SQL pattern without this guard:

Backend	File	Line	Injection points
MySQL	`persistence/conversation/mysql.py`	65	5
PostgreSQL	`persistence/conversation/postgres.py`	89 (+schema:88)	10
Async SQLite	`persistence/conversation/async_sqlite.py`	43	13
Async MySQL	`persistence/conversation/async_mysql.py`	65	13
Async PostgreSQL	`persistence/conversation/async_postgres.py`	63	13
Turso/LibSQL	`persistence/conversation/turso.py`	66	9
SingleStore	`persistence/conversation/singlestore.py`	51	7
Supabase	`persistence/conversation/supabase.py`	68	9
SurrealDB	`persistence/conversation/surrealdb.py`	57	8
Total	9 backends		52 injection points

Additionally, praisonai-agents/praisonaiagents/storage/backends.py:179 (SQLiteBackend) accepts table_name without validation.

PoC

#!/usr/bin/env python3
"""
Demonstrates: sqlite.py rejects malicious table_prefix, mysql.py accepts it.
Run: python3 poc.py  (no dependencies required)
"""
import re

payload = "x'; DROP TABLE users; --"

# ── SQLite (patched) ────────────────────────────────────────────────
try:
    if not re.match(r'^[a-zA-Z0-9_]*$', payload):
        raise ValueError("blocked")
    print(f"[SQLite] FAIL — accepted: {payload}")
except ValueError:
    print(f"[SQLite] OK — rejected malicious table_prefix")

# ── MySQL (unpatched) ───────────────────────────────────────────────
sessions_table = f"{payload}sessions"
sql = f"CREATE TABLE IF NOT EXISTS {sessions_table} (session_id VARCHAR(255) PRIMARY KEY)"
print(f"[MySQL]  VULN — generated SQL:\n  {sql}")

# ── PostgreSQL (unpatched — both table_prefix AND schema) ──────────
schema = "public; DROP SCHEMA data CASCADE; --"
sessions_table = f"{schema}.praison_sessions"
sql = f"CREATE SCHEMA IF NOT EXISTS {schema}"
print(f"[Postgres] VULN — schema injection:\n  {sql}")

Output:

[SQLite] OK — rejected malicious table_prefix
[MySQL]  VULN — generated SQL:
  CREATE TABLE IF NOT EXISTS x'; DROP TABLE users; --sessions (session_id VARCHAR(255) PRIMARY KEY)
[Postgres] VULN — schema injection:
  CREATE SCHEMA IF NOT EXISTS public; DROP SCHEMA data CASCADE; --

Vulnerable code (mysql.py, representative)

# mysql.py:65-67 — NO validation
self.table_prefix = table_prefix                    # ← raw input
self.sessions_table = f"{table_prefix}sessions"     # ← into identifier
self.messages_table = f"{table_prefix}messages"

# mysql.py:105 — straight into DDL
cur.execute(f"""
    CREATE TABLE IF NOT EXISTS {self.sessions_table} (
        session_id VARCHAR(255) PRIMARY KEY, ...
    )
""")

Compare with the patched sqlite.py:52:

# sqlite.py:52-53 — HAS validation
if not re.match(r'^[a-zA-Z0-9_]*$', table_prefix):
    raise ValueError("table_prefix must contain only alphanumeric characters and underscores")

Impact

When table_prefix originates from untrusted input — multi-tenant tenant names, API request parameters, user-editable config — an attacker achieves arbitrary SQL execution against the backing database. The injected SQL runs in the context of DDL and DML operations (CREATE TABLE, INSERT, SELECT, DELETE), giving the attacker read/write/delete access to the entire database.

PostgreSQL's schema parameter adds a second injection vector in DDL (CREATE SCHEMA IF NOT EXISTS {schema}).

Severity ?

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.5.148"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.149"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.6.7"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonaiagents"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41496"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-17T22:24:19Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The fix for [CVE-2026-40315](https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x783-xp3g-mqhp) added input validation to `SQLiteConversationStore` only. Nine sibling backends \u2014 MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB \u2014 pass `table_prefix` straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase.\n\n`postgres.py` additionally accepts an unvalidated `schema` parameter used directly in DDL.\n\n### Severity\n\n**High** \u2014 CWE-89 (SQL Injection)\n\nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N \u2014 **8.1**\n\nExploitable in any deployment where `table_prefix` is derived from external input (multi-tenant setups, API-driven configuration, user-modifiable config files). Default config (`\"praison_\"`) is not affected.\n\n### Details\n\nThe [CVE-2026-40315 fix](https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x783-xp3g-mqhp) added this guard to `sqlite.py:52`:\n\n```python\n# sqlite.py \u2014 PATCHED\nimport re\nif not re.match(r\u0027^[a-zA-Z0-9_]*$\u0027, table_prefix):\n    raise ValueError(\"table_prefix must contain only alphanumeric characters and underscores\")\n```\n\nThe following backends perform the identical `table_prefix \u2192 f-string SQL` pattern **without this guard**:\n\n| Backend          | File                                         | Line            | Injection points        |\n| ---------------- | -------------------------------------------- | --------------- | ----------------------- |\n| MySQL            | `persistence/conversation/mysql.py`          | 65              | 5                       |\n| PostgreSQL       | `persistence/conversation/postgres.py`       | 89 (+schema:88) | 10                      |\n| Async SQLite     | `persistence/conversation/async_sqlite.py`   | 43              | 13                      |\n| Async MySQL      | `persistence/conversation/async_mysql.py`    | 65              | 13                      |\n| Async PostgreSQL | `persistence/conversation/async_postgres.py` | 63              | 13                      |\n| Turso/LibSQL     | `persistence/conversation/turso.py`          | 66              | 9                       |\n| SingleStore      | `persistence/conversation/singlestore.py`    | 51              | 7                       |\n| Supabase         | `persistence/conversation/supabase.py`       | 68              | 9                       |\n| SurrealDB        | `persistence/conversation/surrealdb.py`      | 57              | 8                       |\n| **Total**        | **9 backends**                               |                 | **52 injection points** |\n\nAdditionally, `praisonai-agents/praisonaiagents/storage/backends.py:179` (`SQLiteBackend`) accepts `table_name` without validation.\n\n### PoC\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nDemonstrates: sqlite.py rejects malicious table_prefix, mysql.py accepts it.\nRun: python3 poc.py  (no dependencies required)\n\"\"\"\nimport re\n\npayload = \"x\u0027; DROP TABLE users; --\"\n\n# \u2500\u2500 SQLite (patched) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\ntry:\n    if not re.match(r\u0027^[a-zA-Z0-9_]*$\u0027, payload):\n        raise ValueError(\"blocked\")\n    print(f\"[SQLite] FAIL \u2014 accepted: {payload}\")\nexcept ValueError:\n    print(f\"[SQLite] OK \u2014 rejected malicious table_prefix\")\n\n# \u2500\u2500 MySQL (unpatched) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nsessions_table = f\"{payload}sessions\"\nsql = f\"CREATE TABLE IF NOT EXISTS {sessions_table} (session_id VARCHAR(255) PRIMARY KEY)\"\nprint(f\"[MySQL]  VULN \u2014 generated SQL:\\n  {sql}\")\n\n# \u2500\u2500 PostgreSQL (unpatched \u2014 both table_prefix AND schema) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nschema = \"public; DROP SCHEMA data CASCADE; --\"\nsessions_table = f\"{schema}.praison_sessions\"\nsql = f\"CREATE SCHEMA IF NOT EXISTS {schema}\"\nprint(f\"[Postgres] VULN \u2014 schema injection:\\n  {sql}\")\n```\n\nOutput:\n\n```\n[SQLite] OK \u2014 rejected malicious table_prefix\n[MySQL]  VULN \u2014 generated SQL:\n  CREATE TABLE IF NOT EXISTS x\u0027; DROP TABLE users; --sessions (session_id VARCHAR(255) PRIMARY KEY)\n[Postgres] VULN \u2014 schema injection:\n  CREATE SCHEMA IF NOT EXISTS public; DROP SCHEMA data CASCADE; --\n```\n\n### Vulnerable code (mysql.py, representative)\n\n```python\n# mysql.py:65-67 \u2014 NO validation\nself.table_prefix = table_prefix                    # \u2190 raw input\nself.sessions_table = f\"{table_prefix}sessions\"     # \u2190 into identifier\nself.messages_table = f\"{table_prefix}messages\"\n\n# mysql.py:105 \u2014 straight into DDL\ncur.execute(f\"\"\"\n    CREATE TABLE IF NOT EXISTS {self.sessions_table} (\n        session_id VARCHAR(255) PRIMARY KEY, ...\n    )\n\"\"\")\n```\n\nCompare with the patched `sqlite.py:52`:\n\n```python\n# sqlite.py:52-53 \u2014 HAS validation\nif not re.match(r\u0027^[a-zA-Z0-9_]*$\u0027, table_prefix):\n    raise ValueError(\"table_prefix must contain only alphanumeric characters and underscores\")\n```\n\n### Impact\n\nWhen `table_prefix` originates from untrusted input \u2014 multi-tenant tenant names, API request parameters, user-editable config \u2014 an attacker achieves **arbitrary SQL execution** against the backing database. The injected SQL runs in the context of DDL and DML operations (CREATE TABLE, INSERT, SELECT, DELETE), giving the attacker read/write/delete access to the entire database.\n\nPostgreSQL\u0027s `schema` parameter adds a second injection vector in DDL (`CREATE SCHEMA IF NOT EXISTS {schema}`).",
  "id": "GHSA-rg3h-x3jw-7jm5",
  "modified": "2026-04-27T16:34:12Z",
  "published": "2026-04-17T22:24:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41496 (GCVE-0-2026-41496)

FKIE_CVE-2026-41496

GHSA-RG3H-X3JW-7JM5

Severity

Details

PoC

Vulnerable code (mysql.py, representative)

Impact

Tags

Sightings

Nomenclature