Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. This issue has been patched in version 4.6.34.
AnalysisAI
SQL and CQL injection vulnerability in PraisonAI multi-agent teams system versions 2.4.1 through 4.6.33 allows authenticated attackers to execute arbitrary SQL or CQL commands by injecting malicious collection names into knowledge-store implementations. The vulnerability affects applications that pass untrusted collection names to optional SQL/CQL-backed storage backends, enabling data exfiltration, modification, or deletion with low complexity exploitation.
Technical ContextAI
PraisonAI implements optional knowledge-store backends using SQL and CQL (Cassandra Query Language) databases. These backends construct table and index identifiers by concatenating user-supplied name and collection arguments without proper input validation or parameterized queries. The root cause is improper input validation (CWE-20) of collection names before they are incorporated into dynamic SQL/CQL statement construction, allowing attackers to break out of the intended identifier context and inject arbitrary SQL or CQL syntax. This affects the SQL and CQL storage implementations specifically, not the default in-memory or document-based stores.
RemediationAI
Upgrade PraisonAI to version 4.6.34 or later, which patches the vulnerability by validating and properly handling collection name inputs. Organizations unable to immediately upgrade should disable SQL/CQL-backed knowledge stores and use alternative storage backends (in-memory or document-based) until patching is feasible. As a compensating control, restrict collection name inputs to allowlisted values containing only alphanumeric characters and underscores, enforced at the application layer before passing to PraisonAI APIs - this mitigates injection but reduces flexibility and requires code changes. Additionally, enforce least-privilege database access at the database level, ensuring PraisonAI's database user has minimal required permissions (e.g., read-only if knowledge-store is read-only), which limits damage from successful SQL injection. See https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3643-7v76-5cj2 for patch confirmation.
Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th
Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let
Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug
Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api
SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr
PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet
Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to
Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140
Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts
Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece
Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca
System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection
Same weakness CWE-20 – Improper Input Validation
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28640
GHSA-3643-7v76-5cj2