CVE-2026-34934

Name of the Vulnerable Software and Affected Versions PraisonAI (affected versions not specified)

Description A second-order SQL injection issue exists in the get all user threads function. The function constructs raw SQL queries using f-strings with unescaped thread IDs obtained from the database. An attacker can inject a malicious thread ID via the update thread function. When the application retrieves the thread list, the injected payload is executed, potentially granting full database access. The vulnerable code is located in src/praisonai/praisonai/ui/sql alchemy.py. The attack flow involves inserting a malicious payload through update thread (line 539), constructing a thread ID string (line 547), and then using this string in a SQL query (line 576). This could lead to the exfiltration of sensitive data, access to conversation histories, and the ability to modify or delete database contents.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.