Skip to main content

PraisonAI CVE-2026-44337

| EUVDEUVD-2026-28640 MEDIUM
Improper Input Validation (CWE-20)
2026-05-08 security-advisories@github.com GHSA-3643-7v76-5cj2
6.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
May 08, 2026 - 15:17 EUVD
Analysis Generated
May 08, 2026 - 15:01 vuln.today
CVE Published
May 08, 2026 - 14:16 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. This issue has been patched in version 4.6.34.

AnalysisAI

SQL and CQL injection vulnerability in PraisonAI multi-agent teams system versions 2.4.1 through 4.6.33 allows authenticated attackers to execute arbitrary SQL or CQL commands by injecting malicious collection names into knowledge-store implementations. The vulnerability affects applications that pass untrusted collection names to optional SQL/CQL-backed storage backends, enabling data exfiltration, modification, or deletion with low complexity exploitation.

Technical ContextAI

PraisonAI implements optional knowledge-store backends using SQL and CQL (Cassandra Query Language) databases. These backends construct table and index identifiers by concatenating user-supplied name and collection arguments without proper input validation or parameterized queries. The root cause is improper input validation (CWE-20) of collection names before they are incorporated into dynamic SQL/CQL statement construction, allowing attackers to break out of the intended identifier context and inject arbitrary SQL or CQL syntax. This affects the SQL and CQL storage implementations specifically, not the default in-memory or document-based stores.

RemediationAI

Upgrade PraisonAI to version 4.6.34 or later, which patches the vulnerability by validating and properly handling collection name inputs. Organizations unable to immediately upgrade should disable SQL/CQL-backed knowledge stores and use alternative storage backends (in-memory or document-based) until patching is feasible. As a compensating control, restrict collection name inputs to allowlisted values containing only alphanumeric characters and underscores, enforced at the application layer before passing to PraisonAI APIs - this mitigates injection but reduces flexibility and requires code changes. Additionally, enforce least-privilege database access at the database level, ensuring PraisonAI's database user has minimal required permissions (e.g., read-only if knowledge-store is read-only), which limits damage from successful SQL injection. See https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3643-7v76-5cj2 for patch confirmation.

CVE-2026-61447 CRITICAL
10.0 Jul 11

Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th

CVE-2026-61445 CRITICAL
9.4 Jul 11

Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let

CVE-2026-40157 CRITICAL
9.4 Apr 10

Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug

CVE-2026-61444 CRITICAL
9.4 Jul 10

Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api

CVE-2026-60090 CRITICAL
9.3 Jul 11

SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr

CVE-2026-40151 MEDIUM POC
5.3 Apr 09

PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet

CVE-2026-40154 CRITICAL
9.3 Apr 09

Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to

CVE-2026-40289 CRITICAL
9.1 Apr 14

Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140

CVE-2026-61426 HIGH
8.8 Jul 11

Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts

CVE-2026-61436 HIGH
8.8 Jul 15

Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece

CVE-2026-61435 HIGH
8.8 Jul 15

Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca

CVE-2026-61439 HIGH
8.7 Jul 11

System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection

Share

CVE-2026-44337 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy