Cyber Posture

CVE-2026-40315

CriticalPublic PoC

Published: 14 April 2026

Published
14 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 11.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40315 is a critical-severity SQL Injection (CWE-89) vulnerability in Praison Praisonai. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-8 (Security and Privacy Engineering Principles) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires information input validation and error handling for configuration values like table_prefix to block SQL identifier injection in SQLite queries.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation by upgrading to PraisonAI 4.5.133, which fixes the unsafe f-string concatenation in sqlite.py.

SA-8 Security and Privacy Engineering Principles good match
prevent

Applies security engineering principles such as input validation and safe query construction to prevent SQL injection flaws during system development.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

Remote SQL injection vulnerability in application component directly enables T1190 (Exploit Public-Facing Application) for initial exploitation; facilitates T1005 (Data from Local System) via unauthorized access to SQLite tables and query result manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers cannot…

more

be safely parameterized, an attacker who controls the table_prefix value (e.g., through from_yaml or from_dict configuration input) can inject arbitrary SQL fragments that alter query structure. This enables unauthorized data access, such as reading internal SQLite tables like sqlite_master, and manipulation of query results through techniques like UNION-based injection. The vulnerability propagates from configuration input in config.py, through factory.py, to the SQL query construction in sqlite.py. Exploitation requires the ability to influence configuration input, and successful exploitation leads to internal schema disclosure and full query result tampering. This issue has been fixed in version 4.5.133.

Deeper analysisAI

CVE-2026-40315 is an SQL identifier injection vulnerability affecting PraisonAI, a multi-agent teams system, in versions prior to 4.5.133. The issue resides in the SQLiteConversationStore component, where the table_prefix configuration value is directly concatenated into SQL queries using f-strings without validation or sanitization. SQL identifiers cannot be safely parameterized, allowing injected arbitrary SQL fragments to alter query structure. The vulnerability originates from configuration input in config.py, propagates through factory.py, and manifests in SQL query construction in sqlite.py. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-89.

An attacker who can control the table_prefix value, such as through from_yaml or from_dict configuration input, can exploit this vulnerability remotely with low complexity and no privileges required. Successful exploitation enables unauthorized data access, including reading internal SQLite tables like sqlite_master for schema disclosure, as well as manipulation of query results via techniques like UNION-based injection, leading to full query result tampering.

The vulnerability has been addressed in PraisonAI version 4.5.133. Security practitioners should upgrade to this version or later. Relevant details are available in the GitHub security advisory (GHSA-x783-xp3g-mqhp) and the fixing commit (0accebb2e3c3ec2fca66bbea0444fb7a35f0b4ef).

PraisonAI's role as a multi-agent teams system introduces AI/ML relevance, as exploitation could compromise conversation storage and potentially affect agent interactions or data integrity in AI-driven workflows. No real-world exploitation has been reported.

Details

CWE(s)
CWE-89

Affected Products

praison
praisonai
≤ 4.5.133

CVEs Like This One

CVE-2026-34934Same product: Praison Praisonai
CVE-2026-35615Same product: Praison Praisonai
CVE-2026-39890Same product: Praison Praisonai
CVE-2026-34952Same product: Praison Praisonai
CVE-2026-39889Same product: Praison Praisonai
CVE-2026-39308Same product: Praison Praisonai
CVE-2026-39891Same product: Praison Praisonai
CVE-2026-39888Same product: Praison Praisonai
CVE-2026-40114Same product: Praison Praisonai
CVE-2026-44334Same product: Praison Praisonai

References