PraisonAI and PraisonAI Agents SQL Injection Vulnerability in Multiple Backends

A SQL injection vulnerability has been identified in PraisonAI, a multi-agent teams system, and its agents package, prior to versions 4.6.9 and 1.6.9 respectively. The vulnerability arises in nine conversation store backends—MySQL, PostgreSQL, Turso, SingleStore, Supabase, SurrealDB, and async variants of SQLite, MySQL, and PostgreSQL—that directly incorporate an unvalidated 'table_prefix' into SQL commands using f-strings. This flaw, which affects a total of 52 injection points across the codebase, allows for arbitrary SQL execution, with the injected SQL being executed as part of data definition and manipulation language operations, such as creating or dropping tables and managing database records. Additionally, the PostgreSQL backend's 'schema' parameter introduces a second injection vector by allowing unvalidated schema modifications via data definition language commands.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution on the affected database, with injected SQL running in the context of data definition and manipulation operations. This could lead to unauthorized data access, modification, or deletion. In the case of PostgreSQL, the vulnerability also allows for unvalidated schema injections, further expanding the potential impact.

Reproduction

The vulnerability can be reproduced by configuring PraisonAI or its agents package with a 'table_prefix' derived from untrusted input, such as multi-tenant tenant names or API request parameters. Once this is set, the injection can be demonstrated by executing a command that utilizes the unvalidated 'table_prefix' in an f-string SQL context, such as creating a table or schema in the database.

Remediation

Users should update to PraisonAI version 4.6.9 and PraisonAI Agents version 1.6.9.