Description
SQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a Stored Prompt Injection vulnerability that chains three flaws: a missing permission check on the Excel upload API allowing any authenticated user to upload malicious terminology, unsanitized storage of terminology descriptions containing dangerous payloads, and a lack of semantic fencing when injecting terminology into the LLM's system prompt. Together, these flaws allow an attacker to hijack the LLM's reasoning to generate malicious PostgreSQL commands (e.g., COPY ... TO PROGRAM), ultimately achieving Remote Code Execution on the database or application server with postgres user privileges. The issue is fixed in v1.6.0.
Published: 2026-03-19
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in SQLBot results from a chained flaw that allows an authenticated user to upload a malicious Excel file containing untampered terminology. The terminology descriptions are stored without sanitization and are later injected into the large‑language‑model system prompt without semantic fencing. This chain permits an attacker to ask the model to produce dangerous PostgreSQL commands, such as COPY … TO PROGRAM, which are then executed under the database or application server with postgres user privileges. The net effect is full remote code execution on the database or application server.

Affected Systems

Products impacted are dataease SQLBot version 1.5.0 and earlier. The CVE references a patch in v1.6.0, indicating that those earlier releases lack the necessary fixes. No other vendors or product versions are explicitly listed in the CNA data.

Risk and Exploitability

The CVSS score of 8.6 classifies the issue as high severity, while the EPSS score of less than 1% indicates that exploitation is considered unlikely at present. Because the vulnerability is not listed in the CISA KEV catalog, it is not a known exploited vulnerability. The attack vector is inferred to require an authenticated user who can upload Excel files, meaning that internal users or compromised accounts pose the primary risk. The chain of missing permission checks, unsanitized storage, and lack of semantic fencing suggests that the vulnerability can be exercised from a normal application flow without additional bypasses.

Generated by OpenCVE AI on March 23, 2026 at 18:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SQLBot to version 1.6.0 or later.
  • If an immediate upgrade cannot be performed, remove or disable the Excel upload capability for non‑administrative users.
  • Clear any existing malicious terminology entries from the system.
  • Monitor database logs for abnormal commands such as COPY … TO PROGRAM to detect potential exploitation attempts.

Generated by OpenCVE AI on March 23, 2026 at 18:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Fit2cloud
Fit2cloud sqlbot
CPEs cpe:2.3:a:fit2cloud:sqlbot:*:*:*:*:*:*:*:*
Vendors & Products Fit2cloud
Fit2cloud sqlbot
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Dataease
Dataease sqlbot
Vendors & Products Dataease
Dataease sqlbot

Thu, 19 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description SQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a Stored Prompt Injection vulnerability that chains three flaws: a missing permission check on the Excel upload API allowing any authenticated user to upload malicious terminology, unsanitized storage of terminology descriptions containing dangerous payloads, and a lack of semantic fencing when injecting terminology into the LLM's system prompt. Together, these flaws allow an attacker to hijack the LLM's reasoning to generate malicious PostgreSQL commands (e.g., COPY ... TO PROGRAM), ultimately achieving Remote Code Execution on the database or application server with postgres user privileges. The issue is fixed in v1.6.0.
Title SQLBot: Remote Code Execution via Terminology Poisoning
Weaknesses CWE-20
CWE-74
CWE-77
CWE-862
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Dataease Sqlbot
Fit2cloud Sqlbot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T01:40:19.077Z

Reserved: 2026-03-12T15:29:36.558Z

Link: CVE-2026-32622

cve-icon Vulnrichment

Updated: 2026-03-24T01:40:14.326Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:17:10.563

Modified: 2026-03-23T17:34:55.760

Link: CVE-2026-32622

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:55Z

Weaknesses