PraisonAI, a multi-agent teams system, contains an SQL identifier injection vulnerability in its SQLiteConversationStore component. Specifically, the table_prefix configuration value is incorporated into SQL queries using Python f-strings without any sanitization or validation. Since SQL identifiers cannot be safely parameterized, an attacker able to influence this configuration input (e.g., via from_yaml or from_dict methods) can inject arbitrary SQL fragments. This injection can alter query structure, enabling unauthorized data access such as reading internal SQLite tables like sqlite_master and tampering with query results through UNION-based injection techniques. The vulnerability propagates through configuration input in config.py, factory.py, and finally to SQL query construction in sqlite.py. The issue is resolved in PraisonAI version 4.5.133.

Successful exploitation allows an attacker with limited privileges (local access with some ability to influence configuration input) to perform SQL injection attacks that disclose internal database schema information and manipulate query results. This can lead to unauthorized data access and potential data integrity issues within the affected PraisonAI system.

This vulnerability is fixed in PraisonAI version 4.5.133. Users should upgrade to version 4.5.133 or later to remediate this issue. Since the product is not a cloud service, remediation requires applying the official patch by upgrading the software. Patch status is not explicitly stated beyond the fix in version 4.5.133; therefore, users should verify with the vendor advisory for any additional guidance.