CVE-2026-40315 — CRITICAL (9.8)

Q: How severe is CVE-2026-40315?

CVE-2026-40315 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2026-40315?

Check the references section above for vendor advisories and patch information. Affected products include: Praison Praisonai.

Vulnerability Description

PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers cannot be safely parameterized, an attacker who controls the table_prefix value (e.g., through from_yaml or from_dict configuration input) can inject arbitrary SQL fragments that alter query structure. This enables unauthorized data access, such as reading internal SQLite tables like sqlite_master, and manipulation of query results through techniques like UNION-based injection. The vulnerability propagates from configuration input in config.py, through factory.py, to the SQL query construction in sqlite.py. Exploitation requires the ability to influence configuration input, and successful exploitation leads to internal schema disclosure and full query result tampering. This issue has been fixed in version 4.5.133.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Praison	Praisonai	< 4.5.133

Related Weaknesses (CWE)

CWE-89

References

https://github.com/MervinPraison/PraisonAI/commit/0accebb2e3c3ec2fca66bbea0444fbPatch
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x783-xp3g-mqExploitVendor Advisory
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x783-xp3g-mqExploitVendor Advisory

FAQ

What is CVE-2026-40315?

CVE-2026-40315 is a vulnerability with a CVSS score of 9.8 (CRITICAL). PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concaten...

How severe is CVE-2026-40315?

CVE-2026-40315 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-40315?

Check the references section above for vendor advisories and patch information. Affected products include: Praison Praisonai.