Description
PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers cannot be safely parameterized, an attacker who controls the table_prefix value (e.g., through from_yaml or from_dict configuration input) can inject arbitrary SQL fragments that alter query structure. This enables unauthorized data access, such as reading internal SQLite tables like sqlite_master, and manipulation of query results through techniques like UNION-based injection. The vulnerability propagates from configuration input in config.py, through factory.py, to the SQL query construction in sqlite.py. Exploitation requires the ability to influence configuration input, and successful exploitation leads to internal schema disclosure and full query result tampering. This issue has been fixed in version 4.5.133.
Published: 2026-04-14
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data access and tampering via SQL identifier injection
Action: Immediate Patch
AI Analysis

Impact

PraisonAI's SQLiteConversationStore concatenates the table_prefix configuration directly into SQL identifiers without validation, creating an identifier injection flaw. An attacker controlling this value—through configuration files parsed by from_yaml or from_dict—can inject arbitrary SQL fragments. This allows extraction of sensitive schema information, reading internal SQLite tables such as sqlite_master, and manipulating query results via UNION-based techniques. The result is a breach of confidentiality and integrity of database data, potentially exposing internal system structures and corrupting data returned to higher‑level components.

Affected Systems

The vulnerability exists in all releases of PraisonAI prior to version 4.5.133. It affects the MervinPraison PraisonAI product when the SQLiteConversationStore is used and when configuration inputs are provided through config.py causing table_prefix to be set from untrusted sources. Versions 4.5.133 and later have the issue fixed.

Risk and Exploitability

The CVSS score of 7.2 indicates a moderate to high risk. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. Exploitation requires influence over configuration input; systems that allow user‑supplied or remotely editable configuration files are most vulnerable. If successfully exploited, an attacker gains full visibility of the database schema and can alter data returned to application components, potentially enabling further compromise.

Generated by OpenCVE AI on April 14, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading to PraisonAI 4.5.133 or later.
  • If an upgrade is not yet possible, restrict the sources of configuration files so that table_prefix cannot be set from untrusted data.
  • Validate or sanitize table_prefix inputs to ensure they contain only allowed characters or use a whitelist of acceptable values.
  • Audit existing configuration files for unauthorized modifications or injected prefixes.
  • Disable or remove use of SQLiteConversationStore in environments where it is not required to reduce attack surface.

Generated by OpenCVE AI on April 14, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x783-xp3g-mqhp PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries
History

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers cannot be safely parameterized, an attacker who controls the table_prefix value (e.g., through from_yaml or from_dict configuration input) can inject arbitrary SQL fragments that alter query structure. This enables unauthorized data access, such as reading internal SQLite tables like sqlite_master, and manipulation of query results through techniques like UNION-based injection. The vulnerability propagates from configuration input in config.py, through factory.py, to the SQL query construction in sqlite.py. Exploitation requires the ability to influence configuration input, and successful exploitation leads to internal schema disclosure and full query result tampering. This issue has been fixed in version 4.5.133.
Title PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T13:25:13.165Z

Reserved: 2026-04-10T21:41:54.505Z

Link: CVE-2026-40315

cve-icon Vulnrichment

Updated: 2026-04-14T13:25:00.154Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T04:17:16.057

Modified: 2026-04-20T17:38:54.490

Link: CVE-2026-40315

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:57Z

Weaknesses