CVE-2026-34934
EUVD-2026-1891103.04.2026, 23:17
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via update_thread. When the application loads the thread list, the injected payload executes and grants full database access. This issue has been patched in version 4.5.90.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| praison | praisonai | 𝑥 < 4.5.90 |
𝑥
= Vulnerable software versions