{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32622", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T15:29:36.558Z", "datePublished": "2026-03-19T20:55:51.987Z", "dateUpdated": "2026-03-24T01:40:19.077Z"}, "containers": {"cna": {"title": "SQLBot: Remote Code Execution via Terminology Poisoning", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-77", "lang": "en", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/dataease/SQLBot/security/advisories/GHSA-m7q7-vhw9-q7m3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dataease/SQLBot/security/advisories/GHSA-m7q7-vhw9-q7m3"}, {"name": "https://github.com/dataease/SQLBot/releases/tag/v1.6.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/dataease/SQLBot/releases/tag/v1.6.0"}], "affected": [{"vendor": "dataease", "product": "SQLBot", "versions": [{"version": "< 1.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T20:55:51.987Z"}, "descriptions": [{"lang": "en", "value": "SQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a Stored Prompt Injection vulnerability that chains three flaws: a missing permission check on the Excel upload API allowing any authenticated user to upload malicious terminology, unsanitized storage of terminology descriptions containing dangerous payloads, and a lack of semantic fencing when injecting terminology into the LLM's system prompt. Together, these flaws allow an attacker to hijack the LLM's reasoning to generate malicious PostgreSQL commands (e.g., COPY ... TO PROGRAM), ultimately achieving Remote Code Execution on the database or application server with postgres user privileges. The issue is fixed in v1.6.0."}], "source": {"advisory": "GHSA-m7q7-vhw9-q7m3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T01:40:07.376744Z", "id": "CVE-2026-32622", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T01:40:19.077Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32622", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T01:40:07.376744Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T01:40:14.326Z"}}], "cna": {"title": "SQLBot: Remote Code Execution via Terminology Poisoning", "source": {"advisory": "GHSA-m7q7-vhw9-q7m3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dataease", "product": "SQLBot", "versions": [{"status": "affected", "version": "< 1.6.0"}]}], "references": [{"url": "https://github.com/dataease/SQLBot/security/advisories/GHSA-m7q7-vhw9-q7m3", "name": "https://github.com/dataease/SQLBot/security/advisories/GHSA-m7q7-vhw9-q7m3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dataease/SQLBot/releases/tag/v1.6.0", "name": "https://github.com/dataease/SQLBot/releases/tag/v1.6.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a Stored Prompt Injection vulnerability that chains three flaws: a missing permission check on the Excel upload API allowing any authenticated user to upload malicious terminology, unsanitized storage of terminology descriptions containing dangerous payloads, and a lack of semantic fencing when injecting terminology into the LLM's system prompt. Together, these flaws allow an attacker to hijack the LLM's reasoning to generate malicious PostgreSQL commands (e.g., COPY ... TO PROGRAM), ultimately achieving Remote Code Execution on the database or application server with postgres user privileges. The issue is fixed in v1.6.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T20:55:51.987Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32622", "state": "PUBLISHED", "dateUpdated": "2026-03-24T01:40:19.077Z", "dateReserved": "2026-03-12T15:29:36.558Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T20:55:51.987Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fit2cloud:sqlbot:*:*:*:*:*:*:*:*", "matchCriteriaId": "659F9755-9C97-4299-B46B-F20312FDDE52", "versionEndExcluding": "1.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a Stored Prompt Injection vulnerability that chains three flaws: a missing permission check on the Excel upload API allowing any authenticated user to upload malicious terminology, unsanitized storage of terminology descriptions containing dangerous payloads, and a lack of semantic fencing when injecting terminology into the LLM's system prompt. Together, these flaws allow an attacker to hijack the LLM's reasoning to generate malicious PostgreSQL commands (e.g., COPY ... TO PROGRAM), ultimately achieving Remote Code Execution on the database or application server with postgres user privileges. The issue is fixed in v1.6.0."}, {"lang": "es", "value": "SQLBot es un sistema inteligente de consulta de datos basado en un modelo de lenguaje grande y RAG. Las versiones 1.5.0 e inferiores contienen una vulnerabilidad de inyecci\u00f3n de prompt almacenado que encadena tres fallos: una falta de verificaci\u00f3n de permisos en la API de carga de Excel que permite a cualquier usuario autenticado cargar terminolog\u00eda maliciosa, un almacenamiento no saneado de descripciones de terminolog\u00eda que contienen cargas \u00fatiles peligrosas, y una falta de cercado sem\u00e1ntico al inyectar terminolog\u00eda en el prompt del sistema del LLM. Juntos, estos fallos permiten a un atacante secuestrar el razonamiento del LLM para generar comandos PostgreSQL maliciosos (por ejemplo, COPY ... TO PROGRAM), logrando en \u00faltima instancia la Ejecuci\u00f3n Remota de C\u00f3digo en la base de datos o el servidor de aplicaciones con privilegios de usuario postgres. El problema est\u00e1 solucionado en la v1.6.0."}], "id": "CVE-2026-32622", "lastModified": "2026-03-23T17:34:55.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T21:17:10.563", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/dataease/SQLBot/releases/tag/v1.6.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dataease/SQLBot/security/advisories/GHSA-m7q7-vhw9-q7m3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SQLBot", "source": "cna", "vendor": "dataease"}, "product": "sqlbot", "vendor": "dataease"}], "analysis": {"en": {"generated_at": "2026-03-19T22:26:13.651871+00:00", "value": {"mitigation_remediation": ["Apply the vendor-provided patch by upgrading to SQLBot v1.6.0 or later.", "If an upgrade is not immediately possible, restrict access to the Excel upload API so that only trusted administrators can use it and remove the permission for regular users.", "As a temporary mitigation, sanitize terminology inputs to strip or neutralize dangerous payloads before storage.", "Monitor upload activity logs for abnormal or unexpected uploads and enforce strict input validation."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is SQLBot from dataease. Versions 1.5.0 and all earlier releases are affected. The vulnerability is fixed in v1.6.0.", "description_and_impact": "SQLBot, an intelligent data query system based on a large language model and Retrieval-Augmented Generation, contains a chain of three vulnerabilities in versions 1.5.0 and earlier. An authenticated user can upload an Excel file containing malicious terminology because the upload API lacks a permission check. The system stores the terminology description without sanitization, and when injected into the LLM\u2019s system prompt there is no semantic fencing. This allows an attacker to trick the LLM into generating dangerous PostgreSQL commands such as COPY \u2026 TO PROGRAM, which ultimately achieves Remote Code Execution on the database or application server with postgres user privileges. The impact includes compromise of confidentiality, integrity and availability of the affected database and potentially the entire application server.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.6, indicating high severity. An EPSS score is not available. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector appears to be through an authenticated user with access to upload Excel files; the chain requires the attacker to supply the malicious terminology, the system to store it unsanitized, and the LLM to use it in its prompt. Once all three conditions are met, the attacker can execute arbitrary commands on the database or server, achieving full compromise at the postgres privilege level."}}}}, "created": "2026-03-20T08:56:06.425782+00:00", "updated": "2026-03-20T11:06:16.187453+00:00", "vendors": ["dataease", "dataease$PRODUCT$sqlbot"]}