Description
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9.
Published: 2026-05-08
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PraisonAI’s conversation stores allow attackers to inject arbitrary SQL through the unvalidated table_prefix parameter, as well as an unvalidated schema parameter in the PostgreSQL backend. The flaw exists in nine different database backends, providing 52 injection points across the codebase. An attacker who supplies malicious input can alter query logic, read sensitive data, or possibly execute arbitrary commands within the database context, compromising confidentiality, integrity, and potentially leading to system compromise.

Affected Systems

The vulnerability affects MervinPraison’s PraisonAI, specifically versions prior to 4.6.9 for the core system and prior to 1.6.9 for the agent component. It impacts all supported backends, including MySQL, PostgreSQL, async SQLite, Turso, SingleStore, Supabase, SurrealDB, and others that use the table_prefix input without proper validation.

Risk and Exploitability

With a CVSS score of 8.1, the flaw is considered high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector is through any interface that accepts a table_prefix or schema parameter, likely via an exposed API or administrative configuration. Exploitation requires insertion of SQL syntax into these parameters, which then gets embedded directly into f-string SQL statements.

Generated by OpenCVE AI on May 8, 2026 at 18:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-provided patch or upgrade to PraisonAI version 4.6.9 and praisonaiagents version 1.6.9, which includes proper input validation for the affected parameters.
  • Validate or sanitize any user‑supplied table_prefix or schema values before they are used in SQL queries, ensuring they contain only allowed characters or are mapped to static identifiers.
  • Restart all affected services after applying the patch or validation changes to ensure the new code is in use and no legacy code paths remain active.

Generated by OpenCVE AI on May 8, 2026 at 18:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rg3h-x3jw-7jm5 PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Fri, 08 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
Praison praisonaiagents
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:python:*:*
Vendors & Products Praison
Praison praisonai
Praison praisonaiagents

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9.
Title PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai Praisonaiagents
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T23:18:11.328Z

Reserved: 2026-04-20T16:14:19.009Z

Link: CVE-2026-41496

cve-icon Vulnrichment

Updated: 2026-05-08T23:18:03.585Z

cve-icon NVD

Status : Modified

Published: 2026-05-08T14:16:33.693

Modified: 2026-05-09T00:16:27.707

Link: CVE-2026-41496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:00:09Z

Weaknesses