CVE-2026-30273
SQL Injection in pandas-ai _execute_sql_query Component
Publication date: 2026-04-01
Last updated on: 2026-04-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gabrieleventuri | pandasai | to 3.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the SQL injection vulnerability in pandas-ai v3.0.0 impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a SQL injection in pandas-ai v3.0.0 via the pandasai.agent.base._execute_sql_query component. Detection involves monitoring for unusual or unauthorized SQL query patterns that may indicate injection attempts.
You can detect potential exploitation by reviewing logs for suspicious SQL queries or unexpected database access patterns.
Specific commands to detect this vulnerability are not provided in the available resources.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform SQL injection attacks, potentially leading to unauthorized access to sensitive data stored in the database. Specifically, an attacker could read arbitrary files from the database server, which may result in data breaches, exposure of confidential information, and compromise of system integrity.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding use of pandas-ai version 3.0.0 or earlier until a patch or update is available.
Restrict access to the affected component and validate or sanitize all user inputs to prevent SQL injection.
Monitor your systems for signs of exploitation and apply any official patches or updates once released.
Can you explain this vulnerability to me?
CVE-2026-30273 is a SQL injection vulnerability found in pandas-ai version 3.0.0 and earlier. It occurs in the pandasai.agent.base._execute_sql_query component, where user input is improperly handled in SQL queries. This flaw allows an attacker to inject crafted input into the prompt, which can lead to unauthorized reading of arbitrary files from the database server.