What is the CVSS score of CVE-2025-69285?

CVE-2025-69285 has a CVSS 3.1 base score of 6.1 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.1%.

Which versions of PostgreSQL are affected by CVE-2025-69285?

Organizations using SQLBot should be aware of moderate risk from CVE-2025-69285, a missing authentication vulnerability rated CVSS 6.1. This could allow unauthorized access to protected resources.

Is there a public PoC exploit available for CVE-2025-69285?

Yes, a public proof-of-concept exploit is available for CVE-2025-69285. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-69285?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Audit authentication configurations.

PostgreSQL CVE-2025-69285

MEDIUM

Missing Authentication for Critical Function (CWE-306)

2026-01-21 security-advisories@github.com

PostgreSQL AI / ML Sqlbot

6.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.1 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 02, 2026 - 13:57 vuln.today

Public exploit code

CVE Published

Jan 21, 2026 - 21:16 nvd

MEDIUM 6.1

DescriptionGitHub Advisory

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV files and inject data directly into the PostgreSQL database. The endpoint is explicitly added to the authentication whitelist, causing the TokenMiddleware to bypass all token validation. Uploaded files are parsed by pandas and inserted into the database via to_sql() with if_exists='replace' mode. The vulnerability has been fixed in v1.5.0. No known workarounds are available.

AnalysisAI

SQLBot is an intelligent data query system based on a large language model and RAG. [CVSS 6.1 MEDIUM]

Technical ContextAI

Classified as CWE-306 (Missing Authentication for Critical Function). Affects Sqlbot. SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV files and inject data directly into the PostgreSQL database. The endpoint is explicitly added to the authentication whitelist, causing the TokenMiddleware to bypass all token validation. Uploaded files are parsed by pandas a

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

More from same product – last 7 days

CVE-2026-20253 CRITICAL Act Now POC

9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2026-54310 MEDIUM This Month

9.9 Jun 16

SQL injection in n8n's legacy Postgres v1 and TimescaleDB workflow nodes allows an authenticated workflow editor to inje

CVE-2026-48114 CRITICAL Act Now

9.8 Jun 15

Unauthenticated SQL injection in NCEAS Metacat 2.0.0 through pre-3.0.0 allows remote attackers to read, modify, and exec

CVE-2026-11945 HIGH This Week

7.5 Jun 11

Privilege escalation in PostgreSQL Anonymizer versions prior to 3.1.1 allows a low-privileged database user to achieve s

CVE-2025-69285 vulnerability details – vuln.today

Back