CVE-2026-32622
Received Received - Intake
Stored Prompt Injection in SQLBot Enables Remote Code Execution

Publication date: 2026-03-19

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
SQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a Stored Prompt Injection vulnerability that chains three flaws: a missing permission check on the Excel upload API allowing any authenticated user to upload malicious terminology, unsanitized storage of terminology descriptions containing dangerous payloads, and a lack of semantic fencing when injecting terminology into the LLM's system prompt. Together, these flaws allow an attacker to hijack the LLM's reasoning to generate malicious PostgreSQL commands (e.g., COPY ... TO PROGRAM), ultimately achieving Remote Code Execution on the database or application server with postgres user privileges. The issue is fixed in v1.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32622
EUVD
EUVD-2026-13210
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fit2cloud sqlbot to 1.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32622 is a Stored Prompt Injection vulnerability in SQLBot versions 1.5.0 and below. It involves three chained flaws: a missing permission check on the Excel upload API that allows any authenticated user to upload malicious terminology files; unsanitized storage of terminology descriptions that can contain dangerous payloads; and a lack of semantic fencing when injecting these terminologies into the Large Language Model's (LLM) system prompt. Together, these flaws enable an attacker to hijack the LLM's reasoning to generate malicious PostgreSQL commands, such as COPY ... TO PROGRAM, resulting in Remote Code Execution (RCE) on the database or application server with postgres user privileges."}] [2]

Impact Analysis

This vulnerability allows any authenticated user, even with basic privileges, to execute arbitrary system commands on the backend PostgreSQL server or the host running SQLBot. Attackers can achieve Remote Code Execution with the elevated postgres user privileges, enabling them to run commands such as reverse shells, exfiltrate sensitive data like private keys and environment variables, and potentially take over the entire database cluster.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for unauthorized or suspicious uploads to the terminology Excel upload API endpoint, specifically at /api/v1/system/terminology/uploadExcel.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows any authenticated user to upload malicious Excel files containing dangerous PostgreSQL commands, detection can focus on identifying such uploads and any unusual PostgreSQL commands executed on the server.'}, {'type': 'list_item', 'content': 'Check web server or application logs for POST requests to /api/v1/system/terminology/uploadExcel by authenticated users.'}, {'type': 'list_item', 'content': 'Audit PostgreSQL logs for suspicious commands such as COPY ... TO PROGRAM or other system command executions.'}, {'type': 'list_item', 'content': 'Use database query logging to detect execution of commands that could indicate exploitation, e.g., COPY commands with PROGRAM clauses.'}, {'type': 'list_item', 'content': 'Monitor for creation of unexpected files or changes on the server filesystem, such as files like /tmp/pwned as shown in the proof of concept.'}, {'type': 'paragraph', 'content': 'Specific commands might include:'}, {'type': 'list_item', 'content': 'On the server, check web server logs: grep "/api/v1/system/terminology/uploadExcel" /var/log/nginx/access.log'}, {'type': 'list_item', 'content': 'On PostgreSQL, enable and review logs for COPY commands: grep "COPY" /var/log/postgresql/postgresql.log'}, {'type': 'list_item', 'content': 'Check for suspicious files created by commands: ls -l /tmp | grep pwned'}] [2]

Mitigation Strategies

The primary and recommended mitigation is to upgrade SQLBot to version 1.6.0 or later, where this vulnerability has been fixed.

Additional immediate steps include:

  • Restrict access to the terminology Excel upload API endpoint (/api/v1/system/terminology/uploadExcel) to trusted users only.
  • Implement or enforce permission checks on the upload API to prevent unauthorized uploads.
  • Monitor and audit uploads to detect any suspicious or unexpected terminology files.
  • Review and sanitize any uploaded terminology descriptions to prevent injection of malicious payloads.
  • Consider temporarily disabling the terminology upload feature if upgrading immediately is not possible.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32622. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart