What is the CVSS score of CVE-2026-32628?

CVE-2026-32628 has a CVSS 4.0 base score of 7.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. EPSS exploitation probability: 0.0%.

Which versions of PostgreSQL are affected by CVE-2026-32628?

AnythingLLM versions 1.11.1 and earlier contain a critical SQL injection vulnerability in the SQL Agent plugin that allows any user with agent access to execute arbitrary commands against connected…

PostgreSQL CVE-2026-32628

EUVD-2026-12138 HIGH

SQL Injection (CWE-89)

2026-03-13 GitHub_M

Information Disclosure SQLi PostgreSQL MySQL MSSQL AI / ML Anything Llm

7.7

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Lifecycle Timeline

EUVD ID Assigned

Mar 13, 2026 - 22:01 euvd

EUVD-2026-12138

Analysis Generated

Mar 13, 2026 - 22:01 vuln.today

CVE Published

Mar 13, 2026 - 20:50 nvd

HIGH 7.7

DescriptionNVD

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected databases. The getTableSchemaSql() method in all three database connectors (MySQL, PostgreSQL, MSSQL) constructs SQL queries using direct string concatenation of the table_name parameter without sanitization or parameterization.

AnalysisAI

SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands against connected PostgreSQL, MySQL, and MSSQL databases through the built-in SQL Agent plugin. The vulnerability stems from unsafe string concatenation of table names in the getTableSchemaSql() method across all three database connectors, bypassing proper parameterization. …

RemediationAI

Within 24 hours: Disable the SQL Agent plugin in all AnythingLLM instances and audit logs for unauthorized SQL execution. Within 7 days: Identify all connected databases and implement network-level access restrictions; conduct forensic review of database activity logs for compromise indicators. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-32628 vulnerability details – vuln.today

Back