CVE-2026-44337 - Vulnerability Details

- PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries

Description

PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. This issue has been patched in version 4.6.34.

Published: 2026-05-08

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

PraisonAI implements optional SQL and CQL backends for its knowledge store. From version 2.4.1 up to just before 4.6.34, the system builds table and index identifiers directly from the collection name supplied by the application. This allows an attacker to supply an untrusted collection name that contains injected SQL or CQL code, enabling exploitation of CWE-20 and CWE-89 weaknesses. The injection can lead to unauthorized data disclosure, alteration, or destruction within the database hierarchy, impacting the confidentiality, integrity, and availability of the knowledge store.

Affected Systems

Vendors affected: MervinPraison, product: PraisonAI. Versions vulnerable include all releases from 2.4.1 through the latest pre‑4.6.34. Products after 4.6.34 contain the fix.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no currently known widespread exploitation. The likely attack vector requires an attacker to interact with an application that uses the SQL/CQL knowledge‑store and control the collection name parameter; therefore, the vulnerability is accessible via the application layer and may require authentication or elevated permissions to exploit fully. External exploitation would be possible if the application is exposed over a network and accepts uncontrolled collection names.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MervinPraison

PraisonAI

affected

Version	Status	Constraints
`>= 2.4.1, < 4.6.34`	affected	—

Configuration 1 [-]

cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Praison

Praisonai

95%

Version	Status	Scheme	Platform
`[2.4.1,4.6.34)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch delivered in PraisonAI 4.6.34 or later.
If patch deployment is delayed, sanitize and validate all collection name inputs before they are used in SQL/CQL statements, or use parameterized queries that avoid dynamic identifier construction.
Disable the optional SQL or CQL backends entirely for environments that do not require them, and enforce least‑privilege database roles on the remaining services.

Generated by OpenCVE AI on May 8, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00065.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3643-7v76-5cj2

History

Fri, 08 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Praison Praison praisonai
CPEs		cpe:2.3:a:praison:praisonai::::::::
Vendors & Products		Praison Praison praisonai

Fri, 08 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 08 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. This issue has been patched in version 4.6.34.
Title		PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries
Weaknesses		CWE-20 CWE-89
References		https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3643-7v76-5cj2
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

Praison Praisonai

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-08T13:33:51.716Z

Updated: 2026-05-08T14:19:46.766Z

Reserved: 2026-05-05T19:52:59.147Z

Link: CVE-2026-44337

Vulnrichment

Updated: 2026-05-08T14:19:38.407Z

NVD

Status : Analyzed

Published: 2026-05-08T14:16:46.587

Modified: 2026-05-08T19:07:00.780

Link: CVE-2026-44337

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T23:45:20Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object