Description
A vulnerability was detected in griptape-ai griptape 0.19.4. Affected by this issue is some unknown functionality of the file griptape/tools/sql/tool.py of the component SqlTool. Performing a manipulation results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

A flaw in griptape‑ai griptape 0.19.4's SqlTool component permits the injection of arbitrary SQL through unvalidated input in tool.py. The vulnerability arises from inadequate input sanitization and results in a typical SQL injection scenario, potentially allowing an attacker to read, modify, or delete data in the database. This flaw is documented as CVE‑2026‑5596.

Affected Systems

The affected system is the griptape‑ai griptape library, version 0.19.4. The SQL injection vulnerability resides specifically in the files griptape/tools/sql/tool.py of the SqlTool component. No other product versions are identified as affected at this time.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk, and the issue is not listed in the KEV catalogue. Because the vulnerability can be triggered remotely and public exploits are available, the likelihood of exploitation is non‑negligible. An attacking party could potentially execute arbitrary SQL commands, leading to data confidentiality and integrity concerns. No definitive official patch or workaround is currently documented.

Generated by OpenCVE AI on April 5, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest griptape release that resolves the SQL injection flaw, if one is available.
  • If an upgrade is not possible, isolate or disable the SqlTool feature from untrusted environments and restrict network access to the component.
  • Review and sanitize any user-supplied input that feeds into SQL queries within the application.
  • Monitor application logs for anomalous SQL statements and investigate any suspicious activity promptly.
  • Consult the griptape developer community for updates and apply any interim mitigations recommended by the maintainers.

Generated by OpenCVE AI on April 5, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Griptape-ai
Griptape-ai griptape
Vendors & Products Griptape-ai
Griptape-ai griptape

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in griptape-ai griptape 0.19.4. Affected by this issue is some unknown functionality of the file griptape/tools/sql/tool.py of the component SqlTool. Performing a manipulation results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title griptape-ai griptape SqlTool tool.py sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Griptape-ai Griptape
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T18:09:27.417Z

Reserved: 2026-04-05T05:16:59.422Z

Link: CVE-2026-5596

cve-icon Vulnrichment

Updated: 2026-04-06T18:09:23.135Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-05T21:16:49.220

Modified: 2026-04-07T13:20:35.010

Link: CVE-2026-5596

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:56:22Z

Weaknesses