PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store...

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Description

PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9.

Basic Information

ID CVE-2026-41496

Source GitHub_M

Published May 8, 2026 at 13:19

Affected Product

Vendor MervinPraison

Product PraisonAI

Version praisonaiagents < 1.6.9

Affected Versions MervinPraison PraisonAI praisonaiagents < 1.6.9
MervinPraison PraisonAI praisonai < 4.6.9

CWE Classification

CWE-89

References

github.com /MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5

{
    "lastseen": "",
    "description": "PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends \u2014 MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB \u2014 pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9.",
    "published": "2026-05-08T13:19:10.753Z",
    "modified": "2026-05-08T13:19:10.753Z",
    "type": "cve",
    "title": "PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)",
    "source": "GitHub_M",
    "references": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5",
    "id": "CVE-2026-41496",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "MervinPraison PraisonAI praisonaiagents < 1.6.9\nMervinPraison PraisonAI praisonai < 4.6.9",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "PraisonAI",
    "version": "praisonaiagents < 1.6.9",
    "vendor": "MervinPraison",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)_CVE-2026-41496