Description
SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided question parameter is directly concatenated into the LLM prompt without filtering or escaping, and the SQL extracted from the LLM response is executed against the database without validation or sanitization. An authenticated attacker can craft a malicious question to manipulate the LLM into generating and executing arbitrary SQL statements. When connected to a PostgreSQL data source, this can lead to remote code execution via COPY FROM PROGRAM. This issue has been fixed in version 1.7.1.
Published: 2026-05-05
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SQLBot, an intelligent Text-to-SQL system, permits prompt injection in its chat interface. The question supplied by the user is concatenated directly into the language‑model prompt without any filtering or escaping. The textual SQL the model outputs is then executed against the underlying database without validation. This flaw (CWE-89) enables an authenticated attacker to create a malicious query that can lead to remote code execution, particularly when the target is a PostgreSQL data source through the COPY FROM PROGRAM capability.

Affected Systems

Dataease SQLBot versions 1.7.0 and earlier are impacted. The vulnerability is tied to PostgreSQL connections, where arbitrary SQL execution can be leveraged for code execution. Versions 1.7.1 and later contain the fix.

Risk and Exploitability

The CVSS score of 9.4 indicates critical severity. EPSS is not available, and the vulnerability is not listed in CISA KEV. The likely attack vector is an authenticated user submitting a specially crafted question to the Text2SQL interface, which is then processed by the LLM and executed as SQL on the backend database.

Generated by OpenCVE AI on May 5, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch by upgrading to SQLBot version 1.7.1 or later.
  • Restrict or disable the COPY FROM PROGRAM feature in PostgreSQL to block remote code execution via SQL commands.
  • Configure input validation and sanitization on the question field to escape or filter out malicious content before it reaches the language model.

Generated by OpenCVE AI on May 5, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Fit2cloud
Fit2cloud sqlbot
CPEs cpe:2.3:a:fit2cloud:sqlbot:*:*:*:*:*:*:*:*
Vendors & Products Fit2cloud
Fit2cloud sqlbot
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 05 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Dataease
Dataease sqlbot
Vendors & Products Dataease
Dataease sqlbot

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 05 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided question parameter is directly concatenated into the LLM prompt without filtering or escaping, and the SQL extracted from the LLM response is executed against the database without validation or sanitization. An authenticated attacker can craft a malicious question to manipulate the LLM into generating and executing arbitrary SQL statements. When connected to a PostgreSQL data source, this can lead to remote code execution via COPY FROM PROGRAM. This issue has been fixed in version 1.7.1.
Title SQLBot prompt injection allows arbitrary SQL execution and remote code execution
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Dataease Sqlbot
Fit2cloud Sqlbot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:38:28.127Z

Reserved: 2026-03-18T21:23:36.677Z

Link: CVE-2026-33324

cve-icon Vulnrichment

Updated: 2026-05-05T19:38:24.072Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T20:16:36.317

Modified: 2026-05-08T19:22:59.910

Link: CVE-2026-33324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T21:00:10Z

Weaknesses