Skip to main content

SQLBot CVE-2026-33324

| EUVDEUVD-2026-27446 CRITICAL
SQL Injection (CWE-89)
2026-05-05 GitHub_M
9.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 05, 2026 - 22:00 vuln.today
Patch available
May 05, 2026 - 21:02 EUVD
CVSS changed
May 05, 2026 - 20:22 NVD
9.4 (CRITICAL)

DescriptionGitHub Advisory

SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided question parameter is directly concatenated into the LLM prompt without filtering or escaping, and the SQL extracted from the LLM response is executed against the database without validation or sanitization. An authenticated attacker can craft a malicious question to manipulate the LLM into generating and executing arbitrary SQL statements. When connected to a PostgreSQL data source, this can lead to remote code execution via COPY FROM PROGRAM. This issue has been fixed in version 1.7.1.

AnalysisAI

Prompt injection in SQLBot 1.7.0 and earlier allows authenticated attackers to execute arbitrary SQL statements through the Text2SQL chat interface, escalating to remote code execution when connected to PostgreSQL databases via COPY FROM PROGRAM. The vulnerability stems from unsanitized user input being directly concatenated into LLM prompts, with resulting SQL executed without validation. CVSS 9.4 (Critical) reflects network-based attack with low complexity requiring only low-privilege authentication. SSVC framework confirms proof-of-concept availability and total technical impact, though exploitation is not fully automatable. Vendor-released patch 1.7.1 addresses the issue.

Technical ContextAI

SQLBot is a Text-to-SQL system that uses large language models (LLMs) with Retrieval-Augmented Generation (RAG) to convert natural language queries into SQL. The vulnerability is rooted in CWE-89 (SQL Injection), but manifests through a modern attack vector: prompt injection against the underlying LLM. The application concatenates user-supplied question parameters directly into prompts sent to the LLM without input filtering or escaping. The LLM-generated SQL is then extracted from the response and executed against the connected database without validation or parameterization. When the backend database is PostgreSQL, attackers can leverage PostgreSQL's COPY FROM PROGRAM command to execute operating system commands, bridging SQL injection to remote code execution. The CPE identifier cpe:2.3:a:dataease:sqlbot indicates this is a DataEase product, combining traditional SQL injection weaknesses with AI/LLM-specific attack surfaces.

RemediationAI

Upgrade to SQLBot version 1.7.1 immediately, which contains vendor-released patches addressing both the prompt injection and SQL injection vulnerabilities. The fix is available from the official GitHub repository at https://github.com/dataease/SQLBot with details in security advisory GHSA-q2q6-gqqh-4xrx. For environments unable to upgrade immediately, implement the following compensating controls with noted limitations: restrict access to the Text2SQL chat interface to only trusted users through application-level access controls (reduces attack surface but does not eliminate risk from insider threats or compromised accounts); deploy database-level restrictions preventing use of PostgreSQL COPY FROM PROGRAM and other command execution functions through role-based permissions (mitigates RCE escalation but does not prevent SQL injection or data exfiltration); implement network segmentation isolating database servers from internet-accessible resources (limits lateral movement post-compromise but does not prevent initial exploitation). Note that these workarounds significantly impact SQLBot functionality and do not address the root cause-version 1.7.1 upgrade is the only complete remediation.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-33324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy