CVE-2026-40315
Description
PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers cannot be safely parameterized, an attacker who controls the table_prefix value (e.g., through from_yaml or from_dict configuration input) can inject arbitrary SQL fragments that alter query structure. This enables unauthorized data access, such as reading internal SQLite tables like sqlite_master, and manipulation of query results through techniques like UNION-based injection. The vulnerability propagates from configuration input in config.py, through factory.py, to the SQL query construction in sqlite.py. Exploitation requires the ability to influence configuration input, and successful exploitation leads to internal schema disclosure and full query result tampering. This issue has been fixed in version 4.5.133.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PraisonAIPyPI | < 4.5.133 | 4.5.133 |
Affected products
1Patches
10accebb2e3c3refactor: harden sqlite identifier validation
3 files changed · +10 −3
.github/praisonai-issue-triage.yaml+3 −3 modified@@ -40,7 +40,7 @@ steps: action: | Implement the changes required to solve the issue: 1. Review the analyst's plan. - 2. Check out a dedicated fix branch by calling `execute_command` with `command` set to `git checkout -b praisonai/issue-$ISSUE_NUMBER`. Do NOT provide a `cwd` argument. + 2. Check out a dedicated fix branch by calling `execute_command` with `command` set to `git checkout -b praisonai/issue-{{ISSUE_NUMBER}}`. Do NOT provide a `cwd` argument. 3. Carefully modify the necessary files in the repository using bash commands (e.g. `cat`, `sed`, `echo`, or small inline scripts). 4. Double-check your edits by inspecting the file outputs or running `git diff` to ensure you changed what was required. expected_output: "Confirmation that the git branch was successfully created and the files were reliably modified without syntax errors." @@ -52,7 +52,7 @@ steps: 1. Stage the files with `execute_command` where `command` is `git add .`. Do NOT provide a `cwd` argument. 2. Commit the changes: `git commit -m "PraisonAI Automated Fix"` 3. Push the branch to GitHub: `git push -u origin HEAD` - 4. Create the Pull Request back to main: `gh pr create --title "Fix Issue $ISSUE_NUMBER" --body "Automated triage by PraisonAI Native Issue Triage." --head "praisonai/issue-$ISSUE_NUMBER" --base main` - 5. Post a comment on the original issue letting the user know: `gh issue comment $ISSUE_NUMBER -b "I have autonomously analyzed the codebase and written a fix for this issue! I've opened a Pull Request for your review."` + 4. Create the Pull Request back to main: `gh pr create --title "Fix Issue {{ISSUE_NUMBER}}" --body "Automated triage by PraisonAI Native Issue Triage." --head "praisonai/issue-{{ISSUE_NUMBER}}" --base main` + 5. Post a comment on the original issue letting the user know: `gh issue comment {{ISSUE_NUMBER}} -b "I have autonomously analyzed the codebase and written a fix for this issue! I've opened a Pull Request for your review."` expected_output: "The URL of the successfully created Pull Request." dependencies: [analyze_issue, implement_fix]
src/praisonai/praisonai/gateway/server.py+1 −0 modified@@ -203,6 +203,7 @@ def __init__( """ self.config = config or GatewayConfig(host=host, port=port) if hasattr(self.config, 'auth_token') and not self.config.auth_token: + import secrets self.config.auth_token = secrets.token_hex(16) logger.warning( f"No auth_token provided for Gateway server. Generated temporary token: {self.config.auth_token}. "
src/praisonai/praisonai/persistence/conversation/sqlite.py+6 −0 modified@@ -46,6 +46,12 @@ def __init__( check_same_thread: SQLite check_same_thread parameter """ self.path = path + + # Prevent SQL injection in table identifiers + import re + if not re.match(r'^[a-zA-Z0-9_]*$', table_prefix): + raise ValueError("table_prefix must contain only alphanumeric characters and underscores") + self.table_prefix = table_prefix self.sessions_table = f"{table_prefix}sessions" self.messages_table = f"{table_prefix}messages"
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/MervinPraison/PraisonAI/commit/0accebb2e3c3ec2fca66bbea0444fb7a35f0b4efnvdPatchWEB
- github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x783-xp3g-mqhpnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-x783-xp3g-mqhpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-40315ghsaADVISORY
- github.com/MervinPraison/PraisonAI/releases/tag/v4.5.133ghsaWEB
News mentions
2- PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of DisclosureThe Hacker News · May 14, 2026
- Hackers Targeted PraisonAI Vulnerability Hours After DisclosureSecurityWeek · May 14, 2026