CVE-2026-32622 PUBLISHED

SQLBot: Remote Code Execution via Terminology Poisoning

Assigner: GitHub_M
Reserved: 12.03.2026 Published: 19.03.2026 Updated: 19.03.2026

SQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a Stored Prompt Injection vulnerability that chains three flaws: a missing permission check on the Excel upload API allowing any authenticated user to upload malicious terminology, unsanitized storage of terminology descriptions containing dangerous payloads, and a lack of semantic fencing when injecting terminology into the LLM's system prompt. Together, these flaws allow an attacker to hijack the LLM's reasoning to generate malicious PostgreSQL commands (e.g., COPY ... TO PROGRAM), ultimately achieving Remote Code Execution on the database or application server with postgres user privileges. The issue is fixed in v1.6.0.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.6

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	dataease
Product	SQLBot
Versions	Version < 1.6.0 is affected

References

Problem Types

CWE-862: Missing Authorization CWE
CWE-20: Improper Input Validation CWE
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE