SQL Injection Vulnerability in PraisonAI Multi-Agent System
CVE-2026-41496

8.1HIGH

Key Information:

Vendor: Mervinpraison
Status: Praisonai
Vendor: CVE Published:; 8 May 2026

🔔 Create Mervinpraison Vulnerability Alert

What is CVE-2026-41496?

PraisonAI, a multi-agent system, has been found to have vulnerabilities related to SQL injection risk across multiple backends. Prior to version 4.6.9 of PraisonAI and version 1.6.9 of PraisonAI Agents, multiple components, including MySQL and PostgreSQL, allowed direct user input to be processed in SQL commands without adequate validation. This oversight introduced 52 unvalidated injection points that could allow malicious actors to manipulate database queries. Additionally, the postgres.py module accepted an unvalidated schema parameter used in Data Definition Language (DDL) commands. The patches in the latest versions address these vulnerabilities and enhance overall security.

Affected Version(s)

PraisonAI praisonaiagents < 1.6.9 < praisonaiagents 1.6.9

PraisonAI praisonai < 4.6.9 < praisonai 4.6.9

References

https://github.com/MervinPraison/PraisonAI/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41496 Data

JSON