Skip to main content

PraisonAI CVE-2026-44337

| EUVD-2026-28640 MEDIUM
Improper Input Validation (CWE-20)
2026-05-08 security-advisories@github.com GHSA-3643-7v76-5cj2
Code Injection
6.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
May 08, 2026 - 15:17 EUVD
Analysis Generated
May 08, 2026 - 15:01 vuln.today
CVE Published
May 08, 2026 - 14:16 nvd
MEDIUM 6.3

DescriptionNVD

PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. This issue has been patched in version 4.6.34.

AnalysisAI

SQL and CQL injection vulnerability in PraisonAI multi-agent teams system versions 2.4.1 through 4.6.33 allows authenticated attackers to execute arbitrary SQL or CQL commands by injecting malicious collection names into knowledge-store implementations. The vulnerability affects applications that pass untrusted collection names to optional SQL/CQL-backed storage backends, enabling data exfiltration, modification, or deletion with low complexity exploitation.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-44337 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy