CVE-2026-41496

CVE-2026-41496 is a high-severity SQL injection vulnerability in praisonai (pip), affecting versions <= 4.5.148. It is fixed in 4.5.149, 1.6.8.

Summary

The fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends, MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB, pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase.

postgres.py additionally accepts an unvalidated schema parameter used directly in DDL.

Severity

High, CWE-89 (SQL Injection)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, 8.1

Exploitable in any deployment where table_prefix is derived from external input (multi-tenant setups, API-driven configuration, user-modifiable config files). Default config ("praison_") is not affected.

Details

The CVE-2026-40315 fix added this guard to sqlite.py:52:

# sqlite.py, PATCHED
import re
if not re.match(r'^[a-zA-Z0-9_]*$', table_prefix):
    raise ValueError("table_prefix must contain only alphanumeric characters and underscores")

The following backends perform the identical table_prefix → f-string SQL pattern without this guard:

Backend File Line Injection points
MySQL persistence/conversation/mysql.py 65 5
PostgreSQL persistence/conversation/postgres.py 89 (+schema:88) 10
Async SQLite persistence/conversation/async_sqlite.py 43 13
Async MySQL persistence/conversation/async_mysql.py 65 13
Async PostgreSQL persistence/conversation/async_postgres.py 63 13
Turso/LibSQL persistence/conversation/turso.py 66 9
SingleStore persistence/conversation/singlestore.py 51 7
Supabase persistence/conversation/supabase.py 68 9
SurrealDB persistence/conversation/surrealdb.py 57 8
Total 9 backends 52 injection points

Additionally, praisonai-agents/praisonaiagents/storage/backends.py:179 (SQLiteBackend) accepts table_name without validation.

PoC

#!/usr/bin/env python3
"""
Demonstrates: sqlite.py rejects malicious table_prefix, mysql.py accepts it.
Run: python3 poc.py  (no dependencies required)
"""
import re

payload = "x'; DROP TABLE users; --"

# ── SQLite (patched) ────────────────────────────────────────────────
try:
    if not re.match(r'^[a-zA-Z0-9_]*$', payload):
        raise ValueError("blocked")
    print(f"[SQLite] FAIL, accepted: {payload}")
except ValueError:
    print(f"[SQLite] OK, rejected malicious table_prefix")

# ── MySQL (unpatched) ───────────────────────────────────────────────
sessions_table = f"{payload}sessions"
sql = f"CREATE TABLE IF NOT EXISTS {sessions_table} (session_id VARCHAR(255) PRIMARY KEY)"
print(f"[MySQL]  VULN, generated SQL:\n  {sql}")

# ── PostgreSQL (unpatched, both table_prefix AND schema) ──────────
schema = "public; DROP SCHEMA data CASCADE; --"
sessions_table = f"{schema}.praison_sessions"
sql = f"CREATE SCHEMA IF NOT EXISTS {schema}"
print(f"[Postgres] VULN, schema injection:\n  {sql}")

Output:

[SQLite] OK, rejected malicious table_prefix
[MySQL]  VULN, generated SQL:
  CREATE TABLE IF NOT EXISTS x'; DROP TABLE users; --sessions (session_id VARCHAR(255) PRIMARY KEY)
[Postgres] VULN, schema injection:
  CREATE SCHEMA IF NOT EXISTS public; DROP SCHEMA data CASCADE; --

Vulnerable code (mysql.py, representative)

# mysql.py:65-67, NO validation
self.table_prefix = table_prefix                    # ← raw input
self.sessions_table = f"{table_prefix}sessions"     # ← into identifier
self.messages_table = f"{table_prefix}messages"

# mysql.py:105, straight into DDL
cur.execute(f"""
    CREATE TABLE IF NOT EXISTS {self.sessions_table} (
        session_id VARCHAR(255) PRIMARY KEY, ...
    )
""")

Compare with the patched sqlite.py:52:

# sqlite.py:52-53, HAS validation
if not re.match(r'^[a-zA-Z0-9_]*$', table_prefix):
    raise ValueError("table_prefix must contain only alphanumeric characters and underscores")

Impact

When table_prefix originates from untrusted input, multi-tenant tenant names, API request parameters, user-editable config, an attacker achieves arbitrary SQL execution against the backing database. The injected SQL runs in the context of DDL and DML operations (CREATE TABLE, INSERT, SELECT, DELETE), giving the attacker read/write/delete access to the entire database.

PostgreSQL's schema parameter adds a second injection vector in DDL (CREATE SCHEMA IF NOT EXISTS {schema}).

Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access. Typical impact: data disclosure or modification.

CVE-2026-41496 has a CVSS score of 8.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.5.149, 1.6.8); upgrading removes the vulnerable code path.

Affected versions

praisonai (<= 4.5.148) praisonaiagents (<= 1.6.7)

Security releases

praisonai → 4.5.149 (pip) praisonaiagents → 1.6.8 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

praisonai to 4.5.149 or later; praisonaiagents to 1.6.8 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-41496? CVE-2026-41496 is a high-severity SQL injection vulnerability in praisonai (pip), affecting versions <= 4.5.148. It is fixed in 4.5.149, 1.6.8. Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access.
  2. How severe is CVE-2026-41496? CVE-2026-41496 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2026-41496?
    • praisonai (pip) (versions <= 4.5.148)
    • praisonaiagents (pip) (versions <= 1.6.7)
  4. Is there a fix for CVE-2026-41496? Yes. CVE-2026-41496 is fixed in 4.5.149, 1.6.8. Upgrade to this version or later.
  5. Is CVE-2026-41496 exploitable, and should I be worried? Whether CVE-2026-41496 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-41496 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-41496?
    • Upgrade praisonai to 4.5.149 or later
    • Upgrade praisonaiagents to 1.6.8 or later

Other vulnerabilities in praisonai

Stop the waste.
Protect your environment with Kodem.