CVE-2026-41496
- Source
- https://cve.org/CVERecord?id=CVE-2026-41496
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41496.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-41496
- Aliases
- Published
- 2026-05-08T13:19:10.753Z
- Modified
- 2026-05-12T04:19:44.972178Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)
- Details
-
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9.
- Database specific
{ "cwe_ids": [ "CWE-89" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41496.json", "cna_assigner": "GitHub_M", "unresolved_ranges": [ { "source": "AFFECTED_FIELD", "extracted_events": [ { "last_affected": "praisonaiagents < 1.6.9" }, { "last_affected": "praisonai < 4.6.9" } ] } ] }- References
Affected packages
Git / github.com/mervinpraison/praisonai
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mervinpraison/praisonai
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Database specific
{ "cpe": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "source": "CPE_FIELD", "extracted_events": [ { "introduced": "0" }, { "fixed": "4.6.9" } ] }
Affected versions
0.*
0.0.55
0.0.56
0.0.57
0.0.59rc5
2.*
2.0.25
2.0.26
2.0.27
2.0.28
2.0.29
2.0.30
2.0.31
2.0.32
2.0.33
2.0.34
2.0.35
2.0.36
2.0.37
2.0.38
2.0.39
2.0.40
2.0.41
2.0.42
2.0.43
2.0.44
2.0.45
2.0.46
2.0.47
2.0.48
2.0.49
2.0.50
2.0.51
2.0.53
2.0.54
2.0.55
2.0.56
2.0.57
2.0.58
2.0.59
2.0.60
2.0.61
2.0.62
2.0.63
2.0.64
2.0.65
2.0.66
2.0.67
2.0.68
2.0.69
2.0.70
2.0.71
2.0.72
2.0.73
2.0.74
2.0.75
2.0.76
praisonai-cli@0.*
praisonai-cli@0.2.0
praisonai-derive@0.*
praisonai-derive@0.2.0
praisonai@0.*
praisonai@0.2.0
v0.*
v0.0.1
v0.0.18
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.29
v0.0.30
v0.0.31
v0.0.32
v0.0.33
v0.0.34
v0.0.35
v0.0.36
v0.0.37
v0.0.38
v0.0.39
v0.0.40
v0.0.41
v0.0.42
v0.0.43
v0.0.44
v0.0.45
v0.0.46
v0.0.47
v0.0.48
v0.0.49
v0.0.50
v0.0.51
v0.0.52
v0.0.53
v0.0.54
v0.0.58
v0.0.59
v0.0.59rc1
v0.0.59rc11
v0.0.59rc2
v0.0.59rc3
v0.0.59rc4
v0.0.59rc5
v0.0.59rc6
v0.0.59rc7
v0.0.59rc8
v0.0.59rc9
v0.0.61
v0.0.62
v0.0.63
v0.0.64
v0.0.65
v0.0.66
v0.0.67
v0.0.68
v0.0.69
v0.0.70
v0.0.71
v0.0.72
v0.0.73
v0.0.74
v0.1.0
v0.1.1
v0.1.10
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9
v0.2.0
v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.8
v1.0.9
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.20
v2.0.21
v2.0.22
v2.0.23
v2.0.24
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.77
v2.0.78
v2.0.79
v2.0.8
v2.0.80
v2.0.81
v2.0.9
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.2.0
v2.2.1
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.15
v2.2.16
v2.2.17
v2.2.18
v2.2.19
v2.2.2
v2.2.20
v2.2.21
v2.2.22
v2.2.23
v2.2.24
v2.2.25
v2.2.26
v2.2.27
v2.2.28
v2.2.29
v2.2.3
v2.2.30
v2.2.31
v2.2.32
v2.2.33
v2.2.34
v2.2.35
v2.2.36
v2.2.37
v2.2.38
v2.2.39
v2.2.4
v2.2.40
v2.2.41
v2.2.42
v2.2.43
v2.2.44
v2.2.45
v2.2.46
v2.2.47
v2.2.48
v2.2.49
v2.2.5
v2.2.50
v2.2.51
v2.2.52
v2.2.53
v2.2.54
v2.2.55
v2.2.56
v2.2.57
v2.2.58
v2.2.59
v2.2.6
v2.2.60
v2.2.61
v2.2.62
v2.2.63
v2.2.64
v2.2.65
v2.2.66
v2.2.67
v2.2.68
v2.2.69
v2.2.7
v2.2.70
v2.2.71
v2.2.72
v2.2.73
v2.2.74
v2.2.75
v2.2.76
v2.2.77
v2.2.78
v2.2.79
v2.2.8
v2.2.80
v2.2.81
v2.2.82
v2.2.83
v2.2.84
v2.2.85
v2.2.86
v2.2.87
v2.2.89
v2.2.9
v2.2.90
v2.2.91
v2.2.93
v2.2.96
v2.2.97
v2.2.98
v2.2.99
v2.3.0
v2.3.1
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.18
v2.3.19
v2.3.2
v2.3.20
v2.3.21
v2.3.22
v2.3.23
v2.3.24
v2.3.25
v2.3.26
v2.3.27
v2.3.28
v2.3.29
v2.3.3
v2.3.30
v2.3.31
v2.3.32
v2.3.33
v2.3.34
v2.3.35
v2.3.36
v2.3.37
v2.3.38
v2.3.39
v2.3.4
v2.3.40
v2.3.41
v2.3.42
v2.3.43
v2.3.44
v2.3.45
v2.3.46
v2.3.47
v2.3.48
v2.3.49
v2.3.5
v2.3.50
v2.3.51
v2.3.52
v2.3.53
v2.3.54
v2.3.55
v2.3.56
v2.3.57
v2.3.58
v2.3.59
v2.3.6
v2.3.60
v2.3.61
v2.3.62
v2.3.63
v2.3.64
v2.3.65
v2.3.66
v2.3.67
v2.3.68
v2.3.69
v2.3.7
v2.3.70
v2.3.71
v2.3.72
v2.3.73
v2.3.74
v2.3.75
v2.3.76
v2.3.77
v2.3.78
v2.3.79
v2.3.8
v2.3.80
v2.3.81
v2.3.82
v2.3.83
v2.3.84
v2.3.85
v2.3.86
v2.3.87
v2.3.9
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.5.0
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0
v4.*
v4.4.10
v4.4.11
v4.4.12
v4.4.5
v4.4.6
v4.4.7
v4.4.8
v4.4.9
v4.5.0
v4.5.1
v4.5.10
v4.5.100
v4.5.101
v4.5.102
v4.5.103
v4.5.104
v4.5.105
v4.5.106
v4.5.107
v4.5.108
v4.5.109
v4.5.11
v4.5.110
v4.5.111
v4.5.112
v4.5.113
v4.5.115
v4.5.117
v4.5.118
v4.5.119
v4.5.12
v4.5.120
v4.5.121
v4.5.122
v4.5.123
v4.5.124
v4.5.125
v4.5.126
v4.5.128
v4.5.129
v4.5.13
v4.5.130
v4.5.131
v4.5.132
v4.5.133
v4.5.134
v4.5.14
v4.5.140
v4.5.143
v4.5.144
v4.5.145
v4.5.146
v4.5.147
v4.5.148
v4.5.149
v4.5.15
v4.5.16
v4.5.17
v4.5.18
v4.5.19
v4.5.2
v4.5.20
v4.5.21
v4.5.22
v4.5.23
v4.5.24
v4.5.25
v4.5.26
v4.5.27
v4.5.28
v4.5.29
v4.5.3
v4.5.30
v4.5.31
v4.5.32
v4.5.33
v4.5.34
v4.5.35
v4.5.36
v4.5.37
v4.5.38
v4.5.39
v4.5.40
v4.5.41
v4.5.42
v4.5.43
v4.5.44
v4.5.45
v4.5.46
v4.5.48
v4.5.49
v4.5.5
v4.5.51
v4.5.52
v4.5.54
v4.5.55
v4.5.56
v4.5.57
v4.5.58
v4.5.59
v4.5.6
v4.5.60
v4.5.62
v4.5.63
v4.5.64
v4.5.65
v4.5.67
v4.5.68
v4.5.69
v4.5.7
v4.5.70
v4.5.71
v4.5.72
v4.5.73
v4.5.74
v4.5.76
v4.5.77
v4.5.78
v4.5.79
v4.5.8
v4.5.80
v4.5.81
v4.5.82
v4.5.83
v4.5.85
v4.5.87
v4.5.88
v4.5.9
v4.5.90
v4.5.93
v4.5.94
v4.5.95
v4.5.96
v4.5.97
v4.5.98
v4.6.1
v4.6.2
v4.6.3
v4.6.4
v4.6.5
v4.6.6
v4.6.7