External risk intelligence

PraisonAI Knowledge-Store SQL CQL Injection via Dimension Argument

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-60090

PraisonAI is a framework frequently used to build internet-facing AI agents, web applications, and API services. The vulnerability exists in the knowledge-store collection creation process, which is often exposed via application endpoints or management interfaces that allow user-defined configurations, making it a likely target for remote interaction in typical deployments.

SQL Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical security flaw in PraisonAI, a framework used for building AI agents and applications. The vulnerability allows for injection attacks if input data is not properly validated during the creation of knowledge store collections, potentially leading to unauthorized actions on the underlying database. The main concern is confirming relevance and exposure.

  • Flaw allows data injection during collection creation.
  • Prioritize understanding its use in your systems.
  • Confirm if this technology is deployed.

Attack Path

How an attacker could exploit the issue

An attacker can trigger this vulnerability by creating a new collection with a carefully crafted dimension argument. This argument is not properly validated and is directly inserted into SQL or CQL statements, allowing the attacker to inject malicious commands. If successful, this could lead to the compromise of sensitive data, such as tenant secrets.

  • Requires network access to the application.
  • Triggered by creating a collection with malicious dimension.
  • Risk of sensitive data exposure.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability in PraisonAI's knowledge-store backends could allow an unauthenticated attacker to execute arbitrary SQL or CQL commands. This occurs when the system fails to properly validate the `dimension` argument during collection creation, allowing malicious input to be directly interpolated into database DDL statements.

  • Sensitive tenant data could be exposed.
  • Database commands may be injected.
  • Data loss or unauthorized access.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in PraisonAI's knowledge-store creation can lead to SQL/CQL injection, potentially allowing attackers to execute arbitrary commands against the database. Application owners and platform teams are likely responsible for addressing this issue. The first step involves identifying all instances of the affected technology, assessing their exposure and criticality, and then planning remediation.

  • Own the vulnerable PraisonAI instances.
  • Verify external reachability and impact.
  • Plan and coordinate database remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is PraisonAI and how is it used?

PraisonAI is a framework designed to help developers build, manage, and deploy autonomous AI agents and complex workflows. It is frequently used to create intelligent web applications and API services that require memory or data storage, such as vector-based knowledge stores, to power those agentic behaviors.

What does SQL/CQL injection mean for CVE-2026-60090?

This vulnerability is an instance of CWE-89, which occurs when a program builds database commands by gluing text strings together without cleaning them first. In this case, because the software fails to confirm that a numerical dimension argument is actually a number, an attacker can input malicious command characters that the database interprets as instructions, rather than just data, to execute unauthorized queries.

How can an attacker trigger this vulnerability?

An attacker triggers this flaw by interacting with the collection creation process in a PraisonAI knowledge store. If an application allows a user to provide the 'dimension' setting when setting up a new collection, the attacker can submit specially formatted text instead of a number. Note that providing standard numeric values for the dimension does not trigger the bug; it requires specifically crafted malicious input designed to break out of the intended command.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal notes that PraisonAI is often deployed as internet-facing AI agents or web APIs. Because the collection creation process might be accessible through these public-facing endpoints or administrative interfaces, any system running an older version of PraisonAI that allows users to influence configuration settings should be treated as a likely target for remote interaction.

What should I do if I use PraisonAI?

Your first step is to locate all deployments of PraisonAI within your infrastructure. Review the application architecture to determine if collection creation features are reachable by untrusted users. Prioritize patching or updating the software to version 4.6.78 or later, as this version contains the necessary validation logic to stop malicious input from affecting your database.

References