CVE-2026-40315

Source
https://cve.org/CVERecord?id=CVE-2026-40315
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40315.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40315
Aliases
Published
2026-04-14T02:45:33.880Z
Modified
2026-07-13T16:43:02.535981465Z
Severity
  • 7.2 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries
Details

PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the tableprefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers cannot be safely parameterized, an attacker who controls the tableprefix value (e.g., through fromyaml or fromdict configuration input) can inject arbitrary SQL fragments that alter query structure. This enables unauthorized data access, such as reading internal SQLite tables like sqlite_master, and manipulation of query results through techniques like UNION-based injection. The vulnerability propagates from configuration input in config.py, through factory.py, to the SQL query construction in sqlite.py. Exploitation requires the ability to influence configuration input, and successful exploitation leads to internal schema disclosure and full query result tampering. This issue has been fixed in version 4.5.133.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40315.json"
}
References

Affected packages

Git / github.com/mervinpraison/praisonai

Affected ranges

Type
GIT
Repo
https://github.com/mervinpraison/praisonai
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.5.133"
        }
    ],
    "cpe": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.0.55
0.0.56
0.0.57
0.0.59rc5
2.*
2.0.25
2.0.26
2.0.27
2.0.28
2.0.29
2.0.30
2.0.31
2.0.32
2.0.33
2.0.34
2.0.35
2.0.36
2.0.37
2.0.38
2.0.39
2.0.40
2.0.41
2.0.42
2.0.43
2.0.44
2.0.45
2.0.46
2.0.47
2.0.48
2.0.49
2.0.50
2.0.51
2.0.53
2.0.54
2.0.55
2.0.56
2.0.57
2.0.58
2.0.59
2.0.60
2.0.61
2.0.62
2.0.63
2.0.64
2.0.65
2.0.66
2.0.67
2.0.68
2.0.69
2.0.70
2.0.71
2.0.72
2.0.73
2.0.74
2.0.75
2.0.76
praisonai-cli@0.*
praisonai-cli@0.2.0
praisonai-derive@0.*
praisonai-derive@0.2.0
praisonai@0.*
praisonai@0.2.0
v0.*
v0.0.1
v0.0.18
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.29
v0.0.30
v0.0.31
v0.0.32
v0.0.33
v0.0.34
v0.0.35
v0.0.36
v0.0.37
v0.0.38
v0.0.39
v0.0.40
v0.0.41
v0.0.42
v0.0.43
v0.0.44
v0.0.45
v0.0.46
v0.0.47
v0.0.48
v0.0.49
v0.0.50
v0.0.51
v0.0.52
v0.0.53
v0.0.54
v0.0.58
v0.0.59
v0.0.59rc1
v0.0.59rc11
v0.0.59rc2
v0.0.59rc3
v0.0.59rc4
v0.0.59rc5
v0.0.59rc6
v0.0.59rc7
v0.0.59rc8
v0.0.59rc9
v0.0.61
v0.0.62
v0.0.63
v0.0.64
v0.0.65
v0.0.66
v0.0.67
v0.0.68
v0.0.69
v0.0.70
v0.0.71
v0.0.72
v0.0.73
v0.0.74
v0.1.0
v0.1.1
v0.1.10
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9
v0.2.0
v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.8
v1.0.9
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.20
v2.0.21
v2.0.22
v2.0.23
v2.0.24
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.77
v2.0.78
v2.0.79
v2.0.8
v2.0.80
v2.0.81
v2.0.9
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.2.0
v2.2.1
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.15
v2.2.16
v2.2.17
v2.2.18
v2.2.19
v2.2.2
v2.2.20
v2.2.21
v2.2.22
v2.2.23
v2.2.24
v2.2.25
v2.2.26
v2.2.27
v2.2.28
v2.2.29
v2.2.3
v2.2.30
v2.2.31
v2.2.32
v2.2.33
v2.2.34
v2.2.35
v2.2.36
v2.2.37
v2.2.38
v2.2.39
v2.2.4
v2.2.40
v2.2.41
v2.2.42
v2.2.43
v2.2.44
v2.2.45
v2.2.46
v2.2.47
v2.2.48
v2.2.49
v2.2.5
v2.2.50
v2.2.51
v2.2.52
v2.2.53
v2.2.54
v2.2.55
v2.2.56
v2.2.57
v2.2.58
v2.2.59
v2.2.6
v2.2.60
v2.2.61
v2.2.62
v2.2.63
v2.2.64
v2.2.65
v2.2.66
v2.2.67
v2.2.68
v2.2.69
v2.2.7
v2.2.70
v2.2.71
v2.2.72
v2.2.73
v2.2.74
v2.2.75
v2.2.76
v2.2.77
v2.2.78
v2.2.79
v2.2.8
v2.2.80
v2.2.81
v2.2.82
v2.2.83
v2.2.84
v2.2.85
v2.2.86
v2.2.87
v2.2.89
v2.2.9
v2.2.90
v2.2.91
v2.2.93
v2.2.96
v2.2.97
v2.2.98
v2.2.99
v2.3.0
v2.3.1
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.18
v2.3.19
v2.3.2
v2.3.20
v2.3.21
v2.3.22
v2.3.23
v2.3.24
v2.3.25
v2.3.26
v2.3.27
v2.3.28
v2.3.29
v2.3.3
v2.3.30
v2.3.31
v2.3.32
v2.3.33
v2.3.34
v2.3.35
v2.3.36
v2.3.37
v2.3.38
v2.3.39
v2.3.4
v2.3.40
v2.3.41
v2.3.42
v2.3.43
v2.3.44
v2.3.45
v2.3.46
v2.3.47
v2.3.48
v2.3.49
v2.3.5
v2.3.50
v2.3.51
v2.3.52
v2.3.53
v2.3.54
v2.3.55
v2.3.56
v2.3.57
v2.3.58
v2.3.59
v2.3.6
v2.3.60
v2.3.61
v2.3.62
v2.3.63
v2.3.64
v2.3.65
v2.3.66
v2.3.67
v2.3.68
v2.3.69
v2.3.7
v2.3.70
v2.3.71
v2.3.72
v2.3.73
v2.3.74
v2.3.75
v2.3.76
v2.3.77
v2.3.78
v2.3.79
v2.3.8
v2.3.80
v2.3.81
v2.3.82
v2.3.83
v2.3.84
v2.3.85
v2.3.86
v2.3.87
v2.3.9
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.5.0
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0
v4.*
v4.4.10
v4.4.11
v4.4.12
v4.4.5
v4.4.6
v4.4.7
v4.4.8
v4.4.9
v4.5.0
v4.5.1
v4.5.10
v4.5.100
v4.5.101
v4.5.102
v4.5.103
v4.5.104
v4.5.105
v4.5.106
v4.5.107
v4.5.108
v4.5.109
v4.5.11
v4.5.110
v4.5.111
v4.5.112
v4.5.113
v4.5.115
v4.5.117
v4.5.118
v4.5.119
v4.5.12
v4.5.120
v4.5.121
v4.5.122
v4.5.123
v4.5.124
v4.5.125
v4.5.126
v4.5.128
v4.5.129
v4.5.13
v4.5.130
v4.5.131
v4.5.132
v4.5.14
v4.5.15
v4.5.16
v4.5.17
v4.5.18
v4.5.19
v4.5.2
v4.5.20
v4.5.21
v4.5.22
v4.5.23
v4.5.24
v4.5.25
v4.5.26
v4.5.27
v4.5.28
v4.5.29
v4.5.3
v4.5.30
v4.5.31
v4.5.32
v4.5.33
v4.5.34
v4.5.35
v4.5.36
v4.5.37
v4.5.38
v4.5.39
v4.5.40
v4.5.41
v4.5.42
v4.5.43
v4.5.44
v4.5.45
v4.5.46
v4.5.48
v4.5.49
v4.5.5
v4.5.51
v4.5.52
v4.5.54
v4.5.55
v4.5.56
v4.5.57
v4.5.58
v4.5.59
v4.5.6
v4.5.60
v4.5.62
v4.5.63
v4.5.64
v4.5.65
v4.5.67
v4.5.68
v4.5.69
v4.5.7
v4.5.70
v4.5.71
v4.5.72
v4.5.73
v4.5.74
v4.5.76
v4.5.77
v4.5.78
v4.5.79
v4.5.8
v4.5.80
v4.5.81
v4.5.82
v4.5.83
v4.5.85
v4.5.87
v4.5.88
v4.5.9
v4.5.90
v4.5.93
v4.5.94
v4.5.95
v4.5.96
v4.5.97
v4.5.98

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40315.json"