CVE-2026-40315 Overview
CVE-2026-40315 is an SQL identifier injection vulnerability discovered in PraisonAI, a multi-agent teams system. The vulnerability exists in the SQLiteConversationStore component where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers cannot be safely parameterized, an attacker who controls the table_prefix value (e.g., through from_yaml or from_dict configuration input) can inject arbitrary SQL fragments that alter query structure.
Critical Impact
This vulnerability enables unauthorized data access, including reading internal SQLite tables like sqlite_master, and manipulation of query results through techniques like UNION-based injection. Successful exploitation leads to internal schema disclosure and full query result tampering.
Affected Products
- PraisonAI versions prior to 4.5.133
- PraisonAI SQLiteConversationStore component
- Systems using PraisonAI with user-controllable configuration inputs
Discovery Timeline
- 2026-04-14 - CVE CVE-2026-40315 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-40315
Vulnerability Analysis
This vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The flaw resides in how PraisonAI constructs SQL queries for its conversation storage functionality. The table_prefix parameter, intended to allow customization of database table names, is concatenated directly into SQL statements using Python f-strings without proper validation.
The vulnerability propagation path flows from configuration input in config.py, through factory.py, to the SQL query construction in sqlite.py. This creates a clear attack chain where malicious configuration data can influence the structure of executed SQL queries.
Unlike traditional SQL injection that targets query values, this is an identifier injection vulnerability. Standard parameterized queries cannot protect identifiers (table names, column names) as they can only safely bind values. This makes the vulnerability particularly dangerous because the typical mitigation strategy of using prepared statements is ineffective.
Root Cause
The root cause is the direct concatenation of user-controllable input (table_prefix) into SQL identifier positions without validation. The code constructs table names like f"{table_prefix}sessions" and f"{table_prefix}messages" where the prefix comes from configuration sources that may be attacker-controlled. Since identifiers cannot be parameterized in SQL, proper input validation using allowlist patterns is required but was missing.
Attack Vector
The attack requires local access with the ability to influence configuration input. An attacker can exploit this through several vectors:
- YAML Configuration Poisoning: Supplying malicious table_prefix values through from_yaml configuration loading
- Dictionary Configuration Injection: Passing crafted table_prefix values via from_dict configuration methods
- UNION-Based Injection: Injecting SQL fragments that append UNION SELECT statements to exfiltrate data from other tables
- Schema Disclosure: Targeting sqlite_master to enumerate all tables, columns, and database structure
An attacker could craft a table_prefix value containing SQL syntax like "; SELECT * FROM sqlite_master WHERE " to break out of the intended query structure and execute arbitrary SQL commands.
The security patch implements proper validation:
check_same_thread: SQLite check_same_thread parameter
"""
self.path = path
+
+ # Prevent SQL injection in table identifiers
+ import re
+ if not re.match(r'^[a-zA-Z0-9_]*$', table_prefix):
+ raise ValueError("table_prefix must contain only alphanumeric characters and underscores")
+
self.table_prefix = table_prefix
self.sessions_table = f"{table_prefix}sessions"
self.messages_table = f"{table_prefix}messages"
Source: GitHub Commit
Detection Methods for CVE-2026-40315
Indicators of Compromise
- Unusual or malformed table names appearing in SQLite database files used by PraisonAI
- Configuration files (YAML or dictionary inputs) containing special SQL characters in table_prefix values
- Unexpected queries against sqlite_master or other system tables in database logs
- Error messages indicating SQL syntax errors from the SQLiteConversationStore component
Detection Strategies
- Monitor PraisonAI configuration loading for table_prefix values containing non-alphanumeric characters (except underscores)
- Implement application-layer logging to capture all configuration values passed to SQLiteConversationStore
- Analyze SQLite database files for evidence of injected table structures or unexpected data exfiltration
- Review YAML configuration files for injection attempts using patterns like semicolons, quotes, or SQL keywords
Monitoring Recommendations
- Enable verbose logging in PraisonAI to capture configuration parsing events
- Set up file integrity monitoring on configuration files to detect unauthorized modifications
- Implement input validation alerts at the application boundary where configuration is loaded
- Monitor for ValueError exceptions with the message "table_prefix must contain only alphanumeric characters and underscores" as indicators of blocked exploitation attempts
How to Mitigate CVE-2026-40315
Immediate Actions Required
- Upgrade PraisonAI to version 4.5.133 or later immediately
- Audit all configuration sources (YAML files, dictionary inputs) for suspicious table_prefix values
- Review SQLite database files for evidence of prior exploitation or data tampering
- Implement strict access controls on configuration files and configuration input sources
- Consider regenerating conversation databases if exploitation is suspected
Patch Information
The vulnerability has been fixed in PraisonAI version 4.5.133. The fix implements regex-based validation that restricts table_prefix values to alphanumeric characters and underscores only, preventing SQL identifier injection attacks.
For detailed patch information, refer to the GitHub Security Advisory GHSA-x783-xp3g-mqhp and the security commit.
Workarounds
- If immediate upgrade is not possible, implement custom input validation for table_prefix values before passing them to PraisonAI
- Restrict configuration loading to trusted, read-only sources that cannot be modified by untrusted users
- Use file system permissions to prevent modification of YAML configuration files
- Consider running PraisonAI in an isolated environment with limited database access privileges
# Example: Verify PraisonAI version and upgrade
pip show praisonai | grep Version
pip install --upgrade praisonai>=4.5.133
# Verify the installed version includes the fix
pip show praisonai | grep Version
# Should show 4.5.133 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
