CVE-2026-40315: PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries
(updated )
The table_prefix configuration value is directly used to construct SQL table identifiers without validation.
If an attacker controls this value, they can manipulate SQL query structure, leading to unauthorized data access (e.g., reading internal SQLite tables such as sqlite_master) and tampering with query results.
References
- github.com/MervinPraison/PraisonAI
- github.com/MervinPraison/PraisonAI/commit/0accebb2e3c3ec2fca66bbea0444fb7a35f0b4ef
- github.com/MervinPraison/PraisonAI/releases/tag/v4.5.133
- github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x783-xp3g-mqhp
- github.com/advisories/GHSA-x783-xp3g-mqhp
- nvd.nist.gov/vuln/detail/CVE-2026-40315
Code Behaviors & Features
Detect and mitigate CVE-2026-40315 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →