CVE-2026-4530
Received Received - Intake
SQL Injection in apconw Aix-DB Local Component

Publication date: 2026-03-22

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in apconw Aix-DB up to 1.2.3. This impacts an unknown function of the file agent/text2sql/rag/terminology_retriever.py. Performing a manipulation of the argument Description results in sql injection. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-22
Last Modified
2026-04-29
Generated
2026-05-06
AI Q&A
2026-03-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4530
EUVD
EUVD-2026-14262
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apconw aix-db to 1.2.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-4530 is a critical vulnerability in the Aix-DB software (version 1.2.3) that allows attackers to perform SQL injection through the manipulation of terminology descriptions in the "Terminology Management" feature.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because user-supplied terminology descriptions are directly concatenated into prompts sent to a Large Language Model (LLM) without any sanitization. The LLM then generates SQL commands based on these prompts, which are executed by the backend without validation.'}, {'type': 'paragraph', 'content': "Attackers can inject malicious SQL commands, including PostgreSQL's `COPY FROM PROGRAM` feature, enabling them to execute arbitrary system commands on the database server, leading to full remote code execution (RCE)."}, {'type': 'paragraph', 'content': 'Exploitation requires a local approach with an account that has permission to add terminology and a PostgreSQL datasource user with `COPY` privileges.'}] [1]


How can this vulnerability impact me? :

This vulnerability can have severe impacts including arbitrary file writes, execution of system commands, and full remote code execution on the database server.

Attackers can exploit this flaw to run commands such as creating or dropping tables, writing files to the server, executing reverse shells, exfiltrating sensitive data like the contents of `/etc/passwd`, and moving laterally within the internal network.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying malicious terminology entries injected via the "Terminology Management" interface that lead to SQL injection and remote code execution on the PostgreSQL server.'}, {'type': 'paragraph', 'content': 'You can check for suspicious entries in the database table `t_terminology` that contain unusual or malicious payloads in the description field.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring for execution of PostgreSQL commands like `COPY FROM PROGRAM` can indicate exploitation attempts.'}, {'type': 'list_item', 'content': "Query the terminology table for suspicious descriptions: `SELECT * FROM t_terminology WHERE description LIKE '%COPY FROM PROGRAM%';`"}, {'type': 'list_item', 'content': "Check for unexpected files created by commands such as `COPY FROM PROGRAM 'id'` (e.g., `/tmp/abx`) on the server filesystem."}, {'type': 'list_item', 'content': 'Monitor PostgreSQL logs for execution of dangerous SQL commands like `DROP TABLE`, `COPY FROM PROGRAM`, or other system command executions.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include preventing execution of dangerous SQL commands and sanitizing user input.

  • Implement strict SQL type checking in the backend service (`agent/text2sql/database/db_service.py`) to forbid execution of SQL statements containing keywords such as `INSERT`, `UPDATE`, `DELETE`, `DROP`, `ALTER`, `TRUNCATE`, `CREATE`, `COPY`, `GRANT`, and `REVOKE`.
  • Allow only `SELECT` queries to be executed to minimize risk.
  • Sanitize and escape all user-supplied terminology descriptions before including them in LLM prompts to prevent prompt injection.
  • Restrict permissions on the PostgreSQL datasource user to disallow `COPY` privileges if possible.
  • Monitor and audit terminology entries regularly to detect and remove any malicious payloads.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart