Langroid’s SQLChatAgent, prior to version 0.63.0, constructs and executes SQL statements directly from untrusted language‑model output. The framework accepts user prompts that can influence the LLM’s generated SQL, and, if the underlying database user possesses elevated privileges, the agent can execute dialect‑specific commands such as "COPY … FROM PROGRAM" or other server‑side primitives. This allows an attacker to run arbitrary code or access the file system on the database host, compromising confidentiality, integrity, and availability of the affected system. The weakness corresponds to CWE‑89 (SQL Injection) and CWE‑94 (Code Execution from Unsanitized Input).

The vulnerability affects the Langroid framework (langroid:langroid) on all releases newer than 0.0.0 but older than 0.63.0. End‑point applications using SQLChatAgent with database roles that include execution or filesystem access (e.g., PostgreSQL pg_execute_server_program, MySQL FILE, MSSQL xp_cmdshell) are susceptible; versions 0.63.0 and later have mitigations enabled by default.

With a CVSS score of 9.8, the vulnerability is considered critical. No EPSS data is available, so the likelihood of exploitation cannot be quantified, yet the lack of a KEV listing does not diminish the urgency. The most probable attack vector is an attacker who can craft or influence prompts sent to the SQLChatAgent, either directly or via intermediary data returned to the LLM. Successful exploitation requires that the database role used by the agent has expanded privileges, a condition that is not mitigated by standard least‑privilege configurations.