CVE-2026-5586 - Vulnerability Details

- zhongyu09 openchatbi Multi-stage Text2SQL Workflow sql injection

Description

A vulnerability was determined in zhongyu09 openchatbi up to 0.2.1. The impacted element is an unknown function of the component Multi-stage Text2SQL Workflow. Executing a manipulation of the argument keywords can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-05

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in an unspecified function of the Multi‑stage Text2SQL Workflow component of zhongyu09 openchatbi. Manipulating the arguments supplied to this function can inject arbitrary SQL statements into database queries. Successful exploitation can result in unauthorized reading, modification, or deletion of database contents, compromising the confidentiality, integrity, and availability of stored data.

Affected Systems

The flaw affects all installations of zhongyu09 openchatbi with versions up to and including 0.2.1. No specific vulnerable sub‑components are listed beyond the unnamed function referenced in the description.

Risk and Exploitability

The CVSS score of 5.3 represents a moderate severity vulnerability that does not directly lead to system compromise but allows data exfiltration or alteration. EPSS data is unavailable, but public disclosure indicates that the exploit is known and could be deployed remotely. The vendor has yet to provide a patch or advisory, so the risk remains unmitigated until an update or remediation step is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

zhongyu09

openchatbi

affected

Version	Status	Constraints
`0.2.0`	affected	—
`0.2.1`	affected	—

No data.

Vendor Product Confidence Versions

Zhongyu09

Openchatbi

100%

Version	Status	Scheme	Platform
`0.2.0`	affected	semver	—
`0.2.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Verify the software version you are running is 0.2.1 or earlier
Apply the latest zhongyu09 openchatbi patch that addresses the SQL injection (if available)
If no patch is available, disable or remove the vulnerable Multi‑stage Text2SQL Workflow feature to eliminate the attack surface
Restrict remote access to the application or isolate it behind a firewall to limit attacker reach
Sanitize and validate all input parameters that are used in SQL queries to prevent injection
Monitor database activity logs for anomalous SQL activity and configure alerts

Generated by OpenCVE AI on April 5, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0001.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Ka7arotto/cve/blob/main/openchatbi-SQL/issue.md
https://vuldb.com/submit/784454
https://vuldb.com/vuln/355385
https://vuldb.com/vuln/355385/cti

History

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zhongyu09 Zhongyu09 openchatbi
Vendors & Products		Zhongyu09 Zhongyu09 openchatbi

Mon, 06 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 05 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in zhongyu09 openchatbi up to 0.2.1. The impacted element is an unknown function of the component Multi-stage Text2SQL Workflow. Executing a manipulation of the argument keywords can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title		zhongyu09 openchatbi Multi-stage Text2SQL Workflow sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/Ka7arotto/cve/blob/main/openchatbi-SQL/issue.md https://vuldb.com/submit/784454 https://vuldb.com/vuln/355385 https://vuldb.com/vuln/355385/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Zhongyu09 Openchatbi

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-05T18:00:13.356Z

Updated: 2026-04-06T16:54:27.784Z

Reserved: 2026-04-04T21:42:17.789Z

Link: CVE-2026-5586

Vulnrichment

Updated: 2026-04-06T16:54:17.734Z

NVD

Status : Awaiting Analysis

Published: 2026-04-05T18:16:17.490

Modified: 2026-04-07T13:20:35.010

Link: CVE-2026-5586

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-06T21:56:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object