CVE-2026-41496: PraisonAI SQL Injection Impacts Multiple Backends
The National Vulnerability Database has detailed CVE-2026-41496, a high-severity SQL injection vulnerability affecting PraisonAI’s multi-agent teams system. This issue, present in versions prior to PraisonAI 4.6.9 and PraisonAI Agents 1.6.9, stems from a critical oversight in input validation. While a previous fix for CVE-2026-40315 addressed validation for SQLiteConversationStore, nine other database backends were left exposed.
These vulnerable backends—including MySQL, PostgreSQL, Turso, SingleStore, Supabase, and SurrealDB, along with their async counterparts—directly embed table_prefix into f-string SQL queries without proper sanitization. The National Vulnerability Database reports 52 distinct unvalidated injection points across the codebase sharing this root cause. Furthermore, the postgres.py module exacerbates the risk by accepting an unvalidated schema parameter directly used in DDL operations, opening the door for even more severe database manipulation. This allows for arbitrary SQL execution, leading to potential data exfiltration, modification, or even complete database compromise.
This vulnerability, with a CVSS score of 8.1 (High), highlights a fundamental security flaw (CWE-89) that could allow authenticated attackers to gain significant control over the underlying database. Organizations leveraging PraisonAI with any of the affected database backends are at severe risk. The issue has been patched in PraisonAI version 4.6.9 and PraisonAI Agents version 1.6.9.
What This Means For You
- If your organization uses PraisonAI with any of the affected database backends (MySQL, PostgreSQL, Turso, SingleStore, Supabase, SurrealDB), you must immediately upgrade to PraisonAI version 4.6.9 and PraisonAI Agents version 1.6.9. An unpatched system is an open door for SQL injection, allowing an attacker to exfiltrate sensitive data, manipulate database contents, or achieve deeper system access. This is not a theoretical risk; it's a direct path to compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41496: PraisonAI SQL Injection via table_prefix parameter
title: CVE-2026-41496: PraisonAI SQL Injection via table_prefix parameter
id: scw-2026-05-08-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-41496 by looking for the specific 'table_prefix=' parameter in web requests, which is directly injected into SQL queries by vulnerable versions of PraisonAI and PraisonAI Agents.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41496/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- "table_prefix='"
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41496 | SQLi | PraisonAI praisonai < 4.6.9 |
| CVE-2026-41496 | SQLi | PraisonAI praisonaiagents < 1.6.9 |
| CVE-2026-41496 | SQLi | Vulnerable backends: MySQL, PostgreSQL, async SQLite, async MySQL, async PostgreSQL, Turso, SingleStore, Supabase, SurrealDB |
| CVE-2026-41496 | SQLi | Unvalidated 'table_prefix' parameter used in f-string SQL |
| CVE-2026-41496 | Code Injection | postgres.py accepts unvalidated 'schema' parameter used in DDL |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 08, 2026 at 17:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...
CVE-2026-6666 — A possible null pointer reference in PgBouncer before
CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...
PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow
CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...