Cyber Resilience

CVE-2026-40315

HighPublic PoC

Published: 14 April 2026

Published
14 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v4 7.2 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 21.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40315 is a high-severity SQL Injection (CWE-89) vulnerability in Praison Praisonai. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-8 (Security and Privacy Engineering Principles) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-40315 is an SQL identifier injection vulnerability affecting PraisonAI, a multi-agent teams system, in versions prior to 4.5.133. The issue resides in the SQLiteConversationStore component, where the table_prefix configuration value is directly concatenated into SQL queries using f-strings without validation or sanitization. SQL identifiers cannot be safely parameterized, allowing injected arbitrary SQL fragments to alter query structure. The vulnerability originates from configuration input in config.py, propagates through factory.py, and manifests in SQL query construction in sqlite.py. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-89.

An attacker who can control the table_prefix value, such as through from_yaml or from_dict configuration input, can exploit this vulnerability remotely with low complexity and no privileges required. Successful exploitation enables unauthorized data access, including reading internal SQLite tables like sqlite_master for schema disclosure, as well as manipulation of query results via techniques like UNION-based injection, leading to full query result tampering.

The vulnerability has been addressed in PraisonAI version 4.5.133. Security practitioners should upgrade to this version or later. Relevant details are available in the GitHub security advisory (GHSA-x783-xp3g-mqhp) and the fixing commit (0accebb2e3c3ec2fca66bbea0444fb7a35f0b4ef).

PraisonAI's role as a multi-agent teams system introduces AI/ML relevance, as exploitation could compromise conversation storage and potentially affect agent interactions or data integrity in AI-driven workflows. No real-world exploitation has been reported.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers cannot…

more

be safely parameterized, an attacker who controls the table_prefix value (e.g., through from_yaml or from_dict configuration input) can inject arbitrary SQL fragments that alter query structure. This enables unauthorized data access, such as reading internal SQLite tables like sqlite_master, and manipulation of query results through techniques like UNION-based injection. The vulnerability propagates from configuration input in config.py, through factory.py, to the SQL query construction in sqlite.py. Exploitation requires the ability to influence configuration input, and successful exploitation leads to internal schema disclosure and full query result tampering. This issue has been fixed in version 4.5.133.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Remote SQL injection vulnerability in application component directly enables T1190 (Exploit Public-Facing Application) for initial exploitation; facilitates T1005 (Data from Local System) via unauthorized access to SQLite tables and query result manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34934Same product: Praison Praisonai
CVE-2026-35615Same product: Praison Praisonai
CVE-2026-41496Same product: Praison Praisonai
CVE-2026-44338Same product: Praison Praisonai
CVE-2026-39889Same product: Praison Praisonai
CVE-2026-34952Same product: Praison Praisonai
CVE-2026-39890Same product: Praison Praisonai
CVE-2026-39891Same product: Praison Praisonai
CVE-2026-44334Same product: Praison Praisonai
CVE-2026-39888Same product: Praison Praisonai

Affected Assets

praison
praisonai
≤ 4.5.133

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires information input validation and error handling for configuration values like table_prefix to block SQL identifier injection in SQLite queries.

prevent

Mandates timely flaw remediation by upgrading to PraisonAI 4.5.133, which fixes the unsafe f-string concatenation in sqlite.py.

prevent

Applies security engineering principles such as input validation and safe query construction to prevent SQL injection flaws during system development.

References