Overview
CVE-2026-60090 is a critical-severity (CVSS 9.8) SQL injection vulnerability affecting the knowledge-store subsystem of PraisonAI. The flaw targets the create_collection() method in both the PGVector and Cassandra backends, where the dimension parameter — declared as int in the type signature but not enforced at runtime — is interpolated directly into DDL queries without sanitization.
Although other identifiers such as schema names, keyspace names, and collection names are validated, the numeric dimension value is trusted implicitly, opening a path for an attacker-controlled integer-like payload to inject arbitrary SQL or CQL into the query.
Technical Details
Vulnerable Code Pattern
When creating a vector collection, PraisonAI constructs a query along these lines:
# Simplified vulnerable pattern
query = f"CREATE TABLE {collection_name} (id UUID, embedding VECTOR({dimension}))"
conn.execute(query)The dimension value is sourced from caller-controlled input (e.g., a configuration file, an API call, or agent-supplied parameters). Because Python's type hints are not enforced at runtime, passing a string such as "128); DROP TABLE users; --" results in destructive SQL being executed against the database.
Attack Vectors
- Direct API / SDK callers: Any code path that creates a knowledge-store collection with a user-supplied or agent-supplied dimension.
- Agent-driven provisioning: Agents that dynamically create collections based on task parameters are especially exposed if those parameters flow from untrusted sources.
- Multi-tenant deployments: In shared environments, one tenant may be able to destroy or read another tenant's data.
Potential Impact
- Database destruction: DROP TABLE / DROP KEYSPACE statements could wipe entire knowledge bases.
- Data exfiltration: UNION-based injection or stacked queries can read sensitive stored embeddings and metadata.
- Privilege escalation: On PostgreSQL, injection can be chained with
COPY TO/FROMorpg_read_file()to reach the filesystem. - Cassandra cluster compromise: CQL injection can create, modify, or delete keyspaces and alter replication settings.
Affected Versions
| Product | Backend | Affected | Fixed |
|---|---|---|---|
| PraisonAI | PGVector | < 4.6.78 | 4.6.78+ |
| PraisonAI | Cassandra | < 4.6.78 | 4.6.78+ |
Remediation
Upgrade to PraisonAI 4.6.78 or later as soon as possible. The patched release enforces integer bounds-checking on the dimension parameter at the application layer before it is used in any query.
If patching is not immediately possible:
- Validate
dimensioninputs in your calling code: ensure the value is a plain positive integer before passing it tocreate_collection(). - Use parameterized queries: If you extend or fork PraisonAI, always use driver-level parameterization rather than f-string interpolation for DDL values.
- Restrict database privileges: The PraisonAI service account should have only the minimum necessary permissions — avoid SUPERUSER or equivalent.
- Audit existing collections for signs of injection-created artifacts (tables with unusual names, unexpected schemas).
References
Timeline
| Date | Event |
|---|---|
| 2026-07-11 | NVD publication |
| 2026-07-12 | CosmicBytez Labs advisory published |