CVE-2026-50180 PUBLISHED

Langroid: SQLChatAgent _validate_query blocklist misses pg_read_file family enabling arbitrary file read

Assigner: GitHub_M
Reserved: 03.06.2026 Published: 09.07.2026 Updated: 09.07.2026

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.64.0, SQLChatAgent in langroid ships a _validate_query defense-in-depth layer whose _DANGEROUS_SQL_PATTERNS regex blocklist enumerates dangerous SQL primitives by specific function name. The list misses the canonical PostgreSQL filesystem-disclosure family pg_read_file(), pg_stat_file(), pg_ls_logdir(), pg_ls_waldir(), pg_current_logfile() (and similar SELECT-shaped functions in the same family). It also leaves SQL Server OPENDATASOURCE and SQLite ATTACH '<file>' AS x (DATABASE keyword omitted) unblocked. An attacker able to shape the LLM's generated SQL (directly via prompt input or transitively via prompt-injection in data the LLM ingests) can read arbitrary files from the PostgreSQL host through ordinary SELECT queries, even with the agent's strict default configuration (allow_dangerous_operations=False, allowed_statement_types=['SELECT']). The payloads survive the statement-type allowlist (each is a SELECT) and pass through the regex blocklist (none of the function names match), then reach the live SQLAlchemy engine via SQLChatAgent.run_query. Version 0.64.0 contains a patch for the issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor langroid
Product langroid
Versions
  • Version < 0.64.0 is affected

References

Problem Types

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE