Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32950 is a critical SQL Injection vulnerability in SQLBot versions prior to 1.7.0, specifically in the /api/v1/datasource/uploadExcel endpoint. The issue arises because Excel Sheet names are directly concatenated into PostgreSQL table names without any sanitization, and these table names are then embedded into SQL COPY statements using unsafe Python f-string formatting instead of parameterized queries.'}, {'type': 'paragraph', 'content': "An attacker can exploit this by uploading specially crafted Excel files in two stages: first, a normal file with shell commands in data rows, and second, a tampered file with an XML-modified Sheet name that injects a TO PROGRAM 'sh' clause into the SQL. This allows execution of arbitrary shell commands on the backend server as the postgres user."}, {'type': 'paragraph', 'content': 'The root cause is the lack of sanitization of Sheet names and unsafe SQL query construction, enabling SQL Injection that leads to Remote Code Execution (RCE).'}] [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any authenticated user, even those with minimal privileges, to fully compromise the backend server running SQLBot.

• Arbitrary command execution as the postgres user (UID 999) on the backend server.
• Execution of arbitrary system commands, including reverse shells.
• Exfiltration of sensitive files such as /etc/passwd, /etc/shadow, and application configuration files.
• Complete takeover of the PostgreSQL database due to elevated privileges of the exploited process.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or suspicious activity related to the /api/v1/datasource/uploadExcel endpoint in SQLBot versions prior to 1.7.0, especially uploads of Excel files with tampered Sheet names containing SQL injection payloads.'}, {'type': 'paragraph', 'content': 'Detection can involve inspecting HTTP requests to the vulnerable endpoint for Excel uploads where the Sheet names include suspicious patterns such as embedded SQL commands or the string TO PROGRAM.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring PostgreSQL logs for COPY commands that include TO PROGRAM clauses or unexpected shell command executions can help identify exploitation attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Check web server access logs for POST requests to /api/v1/datasource/uploadExcel with unusual payloads.'}, {'type': 'list_item', 'content': 'Use PostgreSQL log analysis to search for COPY commands containing TO PROGRAM, e.g.:'}, {'type': 'list_item', 'content': "grep -i 'COPY.*TO PROGRAM' /var/log/postgresql/postgresql.log"}, {'type': 'list_item', 'content': 'Monitor for creation of tables with suspicious names containing double quotes or shell command fragments.'}, {'type': 'list_item', 'content': 'If possible, capture and analyze network traffic to detect uploads of Excel files with XML modifications to Sheet names.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade SQLBot to version 1.7.0 or later, where the vulnerability has been fixed by properly sanitizing and parameterizing the SQL queries.

No effective workaround other than upgrading is recommended.

Until the upgrade can be applied, restrict access to the /api/v1/datasource/uploadExcel endpoint to trusted users only, and monitor for suspicious activity as described.

Useful 0 Not Useful 0