Description
A vulnerability was determined in zhongyu09 openchatbi up to 0.2.1. The impacted element is an unknown function of the component Multi-stage Text2SQL Workflow. Executing a manipulation of the argument keywords can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-04-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in an unspecified function of the Multi‑stage Text2SQL Workflow component of zhongyu09 openchatbi, affecting versions up to 0.2.1. Manipulating the arguments supplied to this function can inject arbitrary SQL statements into database queries. Successful exploitation can result in unauthorized reading, modification, or deletion of database contents, compromising the confidentiality, integrity, and availability of stored data. The attack may be launched remotely and has been publicly disclosed.

Affected Systems

The flaw affects all installations of zhongyu09 openchatbi with versions up to and including 0.2.1. No specific vulnerable sub‑components are listed beyond the unnamed function referenced in the description.

Risk and Exploitability

The CVSS score of 5.3 represents a moderate severity vulnerability that does not directly lead to system compromise but allows data exfiltration or alteration. The EPSS score of < 1% indicates a very low probability of exploitation, though the exploit has been publicly disclosed and could be deployed remotely if the vulnerability remains unpatched. The vendor has yet to provide a patch or advisory, so the risk remains unmitigated until an update or remediation step is applied.

Generated by OpenCVE AI on May 20, 2026 at 11:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest zhongyu09 openchatbi patch that addresses the SQL injection (if available)
  • If no patch is available, disable or remove the vulnerable Multi‑stage Text2SQL Workflow feature to eliminate the attack surface
  • Restrict remote access to the application or isolate it behind a firewall to limit attacker reach
  • Sanitize and validate all input parameters that are used in SQL queries to prevent injection
  • Monitor database activity logs for anomalous SQL activity and configure alerts

Generated by OpenCVE AI on May 20, 2026 at 11:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in zhongyu09 openchatbi up to 0.2.1. The impacted element is an unknown function of the component Multi-stage Text2SQL Workflow. Executing a manipulation of the argument keywords can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. A vulnerability was determined in zhongyu09 openchatbi up to 0.2.1. The impacted element is an unknown function of the component Multi-stage Text2SQL Workflow. Executing a manipulation of the argument keywords can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
CPEs cpe:2.3:a:zhongyu09:openchatbi:*:*:*:*:*:*:*:*
References

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Zhongyu09
Zhongyu09 openchatbi
Vendors & Products Zhongyu09
Zhongyu09 openchatbi

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in zhongyu09 openchatbi up to 0.2.1. The impacted element is an unknown function of the component Multi-stage Text2SQL Workflow. Executing a manipulation of the argument keywords can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title zhongyu09 openchatbi Multi-stage Text2SQL Workflow sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Zhongyu09 Openchatbi
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-20T08:45:43.386Z

Reserved: 2026-04-04T21:42:17.789Z

Link: CVE-2026-5586

cve-icon Vulnrichment

Updated: 2026-04-06T16:54:17.734Z

cve-icon NVD

Status : Deferred

Published: 2026-04-05T18:16:17.490

Modified: 2026-05-20T10:16:28.600

Link: CVE-2026-5586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T11:30:26Z

Weaknesses