CVE-2026-40315
published 2026-04-14CVE-2026-40315: PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix…
PriorityP359critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.30%
21.3th percentile
PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers cannot be safely parameterized, an attacker who controls the table_prefix value (e.g., through from_yaml or from_dict configuration input) can inject arbitrary SQL fragments that alter query structure. This enables unauthorized data access, such as reading internal SQLite tables like sqlite_master, and manipulation of query results through techniques like UNION-based injection. The vulnerability propagates from configuration input in config.py, through factory.py, to the SQL query construction in sqlite.py. Exploitation requires the ability to influence configuration input, and successful exploitation leads to internal schema disclosure and full query result tampering. This issue has been fixed in version 4.5.133.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | — | — |
| mervinpraison | praisonai | — | — |
| mervinpraison | praisonai | >= 0 < 4.5.133 | 4.5.133 |
| mervinpraison | praisonai | >= 0 < 4.5.149 | 4.5.149 |
| mervinpraison | praisonaiagents | >= 0 < 1.6.8 | 1.6.8 |
| praison | praisonai | < 4.6.9 | 4.6.9 |
| praison | praisonai | < 4.5.133 | 4.5.133 |
| praison | praisonaiagents | < 1.6.9 | 1.6.9 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.2HIGHCVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)
ghsa·2026-04-17
CVE-2026-40315 [HIGH] CWE-89 PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)
PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)
The fix for [CVE-2026-40315](https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x783-xp3g-mqhp) added input validation to `SQLiteConversationStore` only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass `table_prefix` straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase.
`postgres.py` additionally accepts an unvalidated `schema` parameter used directly in DDL.
### Severity
**High** — CWE-89 (SQL Injection)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N — **8.1**
Exploitable in any deployment whe
GHSA
PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries
ghsa·2026-04-10
CVE-2026-40315 [MEDIUM] CWE-89 PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries
PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries
### Summary
The `table_prefix` configuration value is directly used to construct SQL table identifiers without validation.
If an attacker controls this value, they can manipulate SQL query structure, leading to unauthorized data access (e.g., reading internal SQLite tables such as `sqlite_master`) and tampering with query results.
---
### Details
This allows attackers to inject arbitrary SQL fragments into table identifiers, effectively altering query execution.
This occurs because `table_prefix` is passed from configuration (`from_yaml` / `from_dict`) into `SQLiteConversationStore` and directly concatenated into SQL queries via f-strings:
```python
sessions_table = f"{table_prefix}sessions
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-14
Published