CVE-2026-44337 Overview
CVE-2026-44337 affects PraisonAI, a multi-agent teams system maintained by MervinPraison. Versions from 2.4.1 to before 4.6.34 expose optional SQL and Cassandra Query Language (CQL) backed knowledge-store implementations. These backends construct table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into the affected backends can trigger SQL or CQL injection. The maintainers patched the issue in version 4.6.34.
Critical Impact
Authenticated attackers can inject SQL or CQL statements through collection identifiers, leading to unauthorized data access, modification, or service disruption in knowledge-store backends.
Affected Products
- PraisonAI versions 2.4.1 through 4.6.33
- Optional SQL-backed knowledge-store implementations
- Optional CQL (Cassandra) backed knowledge-store implementations
Discovery Timeline
- 2026-05-08 - CVE-2026-44337 published to the National Vulnerability Database
- 2026-05-08 - Last updated in NVD database
Technical Details for CVE-2026-44337
Vulnerability Analysis
The vulnerability resides in PraisonAI's optional knowledge-store backends that interface with SQL and CQL databases. These backends accept caller-supplied name and collection arguments and embed them directly into table and index identifier positions within database statements. Because identifiers cannot be parameterized through standard prepared statements, the code path requires strict allowlisting or quoting, neither of which the affected versions enforced.
The issue maps to [CWE-20] Improper Input Validation. Applications built on PraisonAI that forward untrusted user input — such as agent configuration values, API parameters, or tenant identifiers — to knowledge-store APIs inherit the injection exposure.
Root Cause
The backend code constructs Data Definition Language (DDL) and Data Manipulation Language (DML) statements by string concatenation. Collection and name parameters flow into table and index identifier positions without character validation or identifier quoting. The trust boundary assumes callers supply safe identifiers, which breaks down when applications expose collection naming to end users.
Attack Vector
An attacker requires network access and low-privilege authentication to the application embedding PraisonAI. The attacker supplies a crafted collection or name string containing SQL or CQL metacharacters. When the knowledge-store backend processes the request, the injected payload executes within the database session context. Exploitation does not require user interaction.
No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-3643-7v76-5cj2 for technical details.
Detection Methods for CVE-2026-44337
Indicators of Compromise
- Database audit logs showing unexpected DDL operations such as DROP TABLE, CREATE INDEX, or ALTER statements originating from the PraisonAI application account
- Knowledge-store collection names containing SQL metacharacters such as quotes, semicolons, comments (--, /*), or whitespace
- Application logs recording knowledge-store API calls with anomalous name or collection argument lengths or non-alphanumeric characters
Detection Strategies
- Inspect application telemetry for PraisonAI knowledge-store API calls and flag any collection identifiers that fail an alphanumeric-plus-underscore allowlist
- Correlate database server query logs with application request logs to identify identifier values reaching the database that differ from values the application intended to send
- Review software bills of materials (SBOMs) and dependency manifests for praisonai versions between 2.4.1 and 4.6.33
Monitoring Recommendations
- Enable verbose query logging on SQL and Cassandra backends serving PraisonAI workloads and forward to a centralized log platform
- Alert on database errors referencing syntax failures from the PraisonAI service account, which often indicate failed injection attempts
- Track outbound queries from agent processes for unexpected schema enumeration patterns
How to Mitigate CVE-2026-44337
Immediate Actions Required
- Upgrade PraisonAI to version 4.6.34 or later across all environments running affected releases
- Audit application code paths that forward user-controlled input to PraisonAI knowledge-store APIs and validate collection names against a strict allowlist
- Rotate database credentials used by PraisonAI service accounts if injection activity is suspected in audit logs
Patch Information
The maintainers fixed the vulnerability in PraisonAI version 4.6.34. The patch validates and sanitizes identifier arguments before they reach the SQL or CQL statement assembly logic. Refer to the GitHub Security Advisory GHSA-3643-7v76-5cj2 for the full advisory text and commit references.
Workarounds
- Restrict the database service account used by PraisonAI to the minimum privileges required, removing DDL rights where possible
- Place an input validation layer in front of any application endpoint that accepts collection or knowledge-store names, rejecting non-alphanumeric characters
- Disable optional SQL or CQL knowledge-store backends and use an alternative non-affected store until the upgrade is completed
# Configuration example: pin a patched version in requirements
pip install "praisonai>=4.6.34"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
