CVE-2026-41496
Modified Modified - Updated After Analysis
SQL Injection in PraisonAI Multi-Agent System

Publication date: 2026-05-08

Last updated on: 2026-05-09

Assigner: GitHub, Inc.

Description
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends β€” MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB β€” pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-09
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41496
EUVD
EUVD-2026-28594
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
praison praisonai to 4.6.9 (exc)
praison praisonaiagents to 1.6.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41496 is a SQL injection vulnerability in the PraisonAI software affecting multiple conversation store backends including MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, and SurrealDB.

The issue arises because these backends accept a `table_prefix` parameter directly into SQL queries using f-strings without proper validation or sanitization, creating 52 injection points. Additionally, the PostgreSQL backend accepts an unvalidated `schema` parameter used in DDL operations.

This vulnerability allows attackers to inject malicious SQL code through externally controlled inputs such as multi-tenant configurations, API requests, or user-editable files. While a previous fix addressed this issue only for the SQLite backend, the other backends remained vulnerable until patched in version 4.6.9 of PraisonAI and version 1.6.9 of praisonaiagents.

Impact Analysis

Exploitation of this vulnerability can allow attackers to execute arbitrary SQL commands on the affected databases.

  • Attackers can gain full read access to sensitive data.
  • Attackers can modify or delete data, compromising data integrity.
  • Attackers can perform destructive operations such as dropping tables.

Overall, this can lead to significant confidentiality and integrity breaches in your database systems.

Detection Guidance

This vulnerability can be detected by checking if your PraisonAI deployment uses any of the nine affected backends (MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB) with externally controlled table_prefix or schema parameters that are not properly validated.

Detection involves reviewing configuration files, API inputs, or multi-tenant settings for unvalidated table_prefix or schema values that could be exploited.

You can also attempt to detect SQL injection vulnerabilities by testing injection payloads in these parameters, such as using inputs like: x'; DROP TABLE users; --

Specific commands depend on your environment, but example SQL injection test commands might include sending crafted API requests or modifying configuration files with suspicious table_prefix values and monitoring for errors or unexpected database behavior.

Mitigation Strategies

The immediate mitigation step is to upgrade PraisonAI to version 4.6.9 or later and praisonaiagents to version 1.6.9 or later, where the vulnerability has been patched.

Until upgrading, avoid using externally controlled or user-editable values for the table_prefix and schema parameters in the affected backends.

Implement input validation and sanitization for all parameters passed into SQL queries, especially table_prefix and schema, to prevent injection.

Review your deployment for any custom or multi-tenant configurations that might pass unvalidated inputs into SQL queries and restrict or sanitize those inputs.

Compliance Impact

This SQL injection vulnerability in PraisonAI affects the confidentiality and integrity of data by allowing attackers to execute arbitrary SQL commands, potentially leading to unauthorized read, write, and deletion of sensitive information.

Such unauthorized access and manipulation of data can result in non-compliance with common standards and regulations like GDPR and HIPAA, which mandate strict controls over data privacy, integrity, and protection against unauthorized access.

Therefore, if exploited, this vulnerability could lead to breaches of personal or protected health information, violating regulatory requirements and potentially resulting in legal and financial consequences for affected organizations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41496. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart