What is the CVSS score of CVE-2026-32622?

CVE-2026-32622 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.6%.

Which versions of PostgreSQL are affected by CVE-2026-32622?

SQLBot versions 1.5.0 and below contain a remote code execution vulnerability that allows authenticated users to execute arbitrary database commands by uploading malicious terminology files,…. A patch is available.

PostgreSQL CVE-2026-32622

EUVD-2026-13210 HIGH

Missing Authorization (CWE-862)

2026-03-19 GitHub_M

Authentication Bypass RCE PostgreSQL

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:20 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.6.0

EUVD ID Assigned

Mar 19, 2026 - 21:00 euvd

EUVD-2026-13210

Analysis Generated

Mar 19, 2026 - 21:00 vuln.today

CVE Published

Mar 19, 2026 - 20:55 nvd

HIGH 8.8

DescriptionNVD

SQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a Stored Prompt Injection vulnerability that chains three flaws: a missing permission check on the Excel upload API allowing any authenticated user to upload malicious terminology, unsanitized storage of terminology descriptions containing dangerous payloads, and a lack of semantic fencing when injecting terminology into the LLM's system prompt. Together, these flaws allow an attacker to hijack the LLM's reasoning to generate malicious PostgreSQL commands (e.g., COPY ... TO PROGRAM), ultimately achieving Remote Code Execution on the database or application server with postgres user privileges. The issue is fixed in v1.6.0.

AnalysisAI

Remote code execution in SQLBot 1.5.0 and below allows authenticated users to inject malicious prompts through unsanitized terminology uploads, enabling attackers to manipulate the LLM into generating arbitrary PostgreSQL commands executed with database privileges. The vulnerability stems from missing permission checks on the Excel upload API combined with inadequate semantic isolation when injecting user-controlled data into the system prompt. …

RemediationAI

Within 24 hours: Identify all instances of SQLBot 1.5.0 and below in production and development environments. Within 7 days: Apply the vendor-released patch to upgrade all SQLBot instances to version 1.5.1 or later, and restrict upload API access to trusted administrators only during the patching window. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-32622 vulnerability details – vuln.today

Back

PostgreSQL CVE-2026-32622

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code