GHSA-x783-xp3g-mqhp: PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries

April 10, 2026

The table_prefix configuration value is directly used to construct SQL table identifiers without validation.

If an attacker controls this value, they can manipulate SQL query structure, leading to unauthorized data access (e.g., reading internal SQLite tables such as sqlite_master) and tampering with query results.

References

github.com/MervinPraison/PraisonAI
github.com/MervinPraison/PraisonAI/releases/tag/v4.5.133
github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x783-xp3g-mqhp
github.com/advisories/GHSA-x783-xp3g-mqhp

Code Behaviors & Features

Detect and mitigate GHSA-x783-xp3g-mqhp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →