Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1852+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-60090: PraisonAI SQL Injection via Unvalidated Dimension Parameter in Vector Store Backends
CVE-2026-60090: PraisonAI SQL Injection via Unvalidated Dimension Parameter in Vector Store Backends

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-60090

CVE-2026-60090: PraisonAI SQL Injection via Unvalidated Dimension Parameter in Vector Store Backends

A CVSS 9.8 critical SQL injection vulnerability in PraisonAI before 4.6.78 allows attackers to exploit the unvalidated dimension argument in PGVector and Cassandra knowledge-store backends to execute arbitrary database queries.

Dylan H.

Security Team

July 12, 2026
3 min read

Affected Products

  • PraisonAI < 4.6.78

Overview

CVE-2026-60090 is a critical-severity (CVSS 9.8) SQL injection vulnerability affecting the knowledge-store subsystem of PraisonAI. The flaw targets the create_collection() method in both the PGVector and Cassandra backends, where the dimension parameter — declared as int in the type signature but not enforced at runtime — is interpolated directly into DDL queries without sanitization.

Although other identifiers such as schema names, keyspace names, and collection names are validated, the numeric dimension value is trusted implicitly, opening a path for an attacker-controlled integer-like payload to inject arbitrary SQL or CQL into the query.

Technical Details

Vulnerable Code Pattern

When creating a vector collection, PraisonAI constructs a query along these lines:

# Simplified vulnerable pattern
query = f"CREATE TABLE {collection_name} (id UUID, embedding VECTOR({dimension}))"
conn.execute(query)

The dimension value is sourced from caller-controlled input (e.g., a configuration file, an API call, or agent-supplied parameters). Because Python's type hints are not enforced at runtime, passing a string such as "128); DROP TABLE users; --" results in destructive SQL being executed against the database.

Attack Vectors

  • Direct API / SDK callers: Any code path that creates a knowledge-store collection with a user-supplied or agent-supplied dimension.
  • Agent-driven provisioning: Agents that dynamically create collections based on task parameters are especially exposed if those parameters flow from untrusted sources.
  • Multi-tenant deployments: In shared environments, one tenant may be able to destroy or read another tenant's data.

Potential Impact

  • Database destruction: DROP TABLE / DROP KEYSPACE statements could wipe entire knowledge bases.
  • Data exfiltration: UNION-based injection or stacked queries can read sensitive stored embeddings and metadata.
  • Privilege escalation: On PostgreSQL, injection can be chained with COPY TO/FROM or pg_read_file() to reach the filesystem.
  • Cassandra cluster compromise: CQL injection can create, modify, or delete keyspaces and alter replication settings.

Affected Versions

ProductBackendAffectedFixed
PraisonAIPGVector< 4.6.784.6.78+
PraisonAICassandra< 4.6.784.6.78+

Remediation

Upgrade to PraisonAI 4.6.78 or later as soon as possible. The patched release enforces integer bounds-checking on the dimension parameter at the application layer before it is used in any query.

If patching is not immediately possible:

  1. Validate dimension inputs in your calling code: ensure the value is a plain positive integer before passing it to create_collection().
  2. Use parameterized queries: If you extend or fork PraisonAI, always use driver-level parameterization rather than f-string interpolation for DDL values.
  3. Restrict database privileges: The PraisonAI service account should have only the minimum necessary permissions — avoid SUPERUSER or equivalent.
  4. Audit existing collections for signs of injection-created artifacts (tables with unusual names, unexpected schemas).

References

  • NVD — CVE-2026-60090
  • PraisonAI GitHub

Timeline

DateEvent
2026-07-11NVD publication
2026-07-12CosmicBytez Labs advisory published
#CVE#SQL Injection#AI Security#PraisonAI#Vector Database#Critical

Related Articles

CVE-2026-61445: PraisonAI AICoder Arbitrary File Write and Command Injection via LLM Tool Calls

A CVSS 9.9 critical vulnerability in PraisonAI before 4.6.78 allows attackers to write files to arbitrary filesystem locations and execute arbitrary OS commands by injecting malicious prompts through the AICoder chat interface.

3 min read

CVE-2026-61447: PraisonAI CodeAgent Remote Code Execution via Unsandboxed Python Execution

A CVSS 10.0 critical vulnerability in PraisonAI before 1.6.78 allows attackers to achieve remote code execution by injecting malicious prompts that exploit the CodeAgent's unsandboxed LLM-generated Python execution pipeline.

3 min read

CVE-2026-5955: BiEticaret E-Commerce SQL Injection (CVSS 9.8)

A critical SQL injection vulnerability in Inrove Software's BiEticaret e-commerce platform (versions before v3.3.57) allows unauthenticated attackers to dump the full database, bypass authentication, and access customer payment and PII data.

5 min read
Back to all Security Alerts