CVE-2026-44337: PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries

May 11, 2026

PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection.

References

github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3643-7v76-5cj2
github.com/advisories/GHSA-3643-7v76-5cj2
nvd.nist.gov/vuln/detail/CVE-2026-44337

Code Behaviors & Features

Detect and mitigate CVE-2026-44337 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →