PraisonAI, a multi-agent teams system, contains an SQL identifier injection vulnerability in SQLiteConversationStore before version 4.5.133. The vulnerability occurs because the table_prefix configuration value is concatenated into SQL queries using f-strings without validation or sanitization. Since SQL identifiers cannot be parameterized safely, an attacker controlling table_prefix (via configuration inputs such as from_yaml or from_dict) can inject SQL fragments that alter query structure. This enables unauthorized reading of internal SQLite tables like sqlite_master and manipulation of query results through UNION-based injection. The vulnerability propagates from configuration input in config.py through factory.py to SQL query construction in sqlite.py. Exploitation requires the ability to influence configuration input. The issue is resolved in version 4.5.133.

Successful exploitation allows an attacker with limited privileges to inject arbitrary SQL code into queries, leading to unauthorized disclosure of internal database schema information and tampering with query results. This can compromise data confidentiality and integrity within the affected PraisonAI system. The attack requires the ability to influence configuration input, limiting the attack surface to scenarios where such control is possible.

This vulnerability has been fixed in PraisonAI version 4.5.133. Users should upgrade to version 4.5.133 or later to remediate this issue. Since no official remediation level or patch link is provided beyond this version update, applying this upgrade is the recommended mitigation. No additional vendor advisory indicates alternative mitigations or that no action is required.