CVE-2026-32622
Stored Prompt Injection in SQLBot Enables Remote Code Execution
Publication date: 2026-03-19
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fit2cloud | sqlbot | to 1.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32622 is a Stored Prompt Injection vulnerability in SQLBot versions 1.5.0 and below. It involves three chained flaws: a missing permission check on the Excel upload API that allows any authenticated user to upload malicious terminology files; unsanitized storage of terminology descriptions that can contain dangerous payloads; and a lack of semantic fencing when injecting these terminologies into the Large Language Model's (LLM) system prompt. Together, these flaws enable an attacker to hijack the LLM's reasoning to generate malicious PostgreSQL commands, such as COPY ... TO PROGRAM, resulting in Remote Code Execution (RCE) on the database or application server with postgres user privileges."}] [2]
How can this vulnerability impact me? :
This vulnerability allows any authenticated user, even with basic privileges, to execute arbitrary system commands on the backend PostgreSQL server or the host running SQLBot. Attackers can achieve Remote Code Execution with the elevated postgres user privileges, enabling them to run commands such as reverse shells, exfiltrate sensitive data like private keys and environment variables, and potentially take over the entire database cluster.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for unauthorized or suspicious uploads to the terminology Excel upload API endpoint, specifically at /api/v1/system/terminology/uploadExcel.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows any authenticated user to upload malicious Excel files containing dangerous PostgreSQL commands, detection can focus on identifying such uploads and any unusual PostgreSQL commands executed on the server.'}, {'type': 'list_item', 'content': 'Check web server or application logs for POST requests to /api/v1/system/terminology/uploadExcel by authenticated users.'}, {'type': 'list_item', 'content': 'Audit PostgreSQL logs for suspicious commands such as COPY ... TO PROGRAM or other system command executions.'}, {'type': 'list_item', 'content': 'Use database query logging to detect execution of commands that could indicate exploitation, e.g., COPY commands with PROGRAM clauses.'}, {'type': 'list_item', 'content': 'Monitor for creation of unexpected files or changes on the server filesystem, such as files like /tmp/pwned as shown in the proof of concept.'}, {'type': 'paragraph', 'content': 'Specific commands might include:'}, {'type': 'list_item', 'content': 'On the server, check web server logs: grep "/api/v1/system/terminology/uploadExcel" /var/log/nginx/access.log'}, {'type': 'list_item', 'content': 'On PostgreSQL, enable and review logs for COPY commands: grep "COPY" /var/log/postgresql/postgresql.log'}, {'type': 'list_item', 'content': 'Check for suspicious files created by commands: ls -l /tmp | grep pwned'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade SQLBot to version 1.6.0 or later, where this vulnerability has been fixed.
Additional immediate steps include:
- Restrict access to the terminology Excel upload API endpoint (/api/v1/system/terminology/uploadExcel) to trusted users only.
- Implement or enforce permission checks on the upload API to prevent unauthorized uploads.
- Monitor and audit uploads to detect any suspicious or unexpected terminology files.
- Review and sanitize any uploaded terminology descriptions to prevent injection of malicious payloads.
- Consider temporarily disabling the terminology upload feature if upgrading immediately is not possible.