CVE-2026-5586
Deferred Deferred - Pending Action
SQL Injection in Zhongyu09 OpenChatBI Multi-stage Text2SQL Workflow

Publication date: 2026-04-05

Last updated on: 2026-05-20

Assigner: VulDB

Description
A vulnerability was determined in zhongyu09 openchatbi up to 0.2.1. The impacted element is an unknown function of the component Multi-stage Text2SQL Workflow. Executing a manipulation of the argument keywords can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-05-20
Generated
2026-06-16
AI Q&A
2026-04-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5586
EUVD
EUVD-2026-19117
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zhongyu09 openchatbi to 0.2.1 (inc)
zhongyu09 openchatbi to 0.8.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include implementing strict validation and sanitization of all SQL commands generated by the openchatbi Text2SQL workflow before execution.

  • Whitelist only safe SQL commands such as SELECT and block dangerous commands like `COPY FROM PROGRAM`.
  • Parse and verify the SQL structure to ensure it matches expected patterns and does not contain injection payloads.
  • Monitor and restrict the privileges of the PostgreSQL user account used by openchatbi to limit the impact of any potential exploitation.
  • Apply any available patches or updates from the vendor once released, although the vendor has not responded to this disclosure yet.
Executive Summary

CVE-2026-5586 is a critical vulnerability in the openchatbi software (up to version 0.2.1) affecting its multi-stage Text2SQL workflow. This workflow converts user input into SQL queries executed on a PostgreSQL database. The vulnerability arises because the SQL generated by the language model is executed directly without any validation or sanitization.

An attacker can manipulate the input prompts at various stages of the workflow to inject arbitrary SQL commands. This includes dangerous PostgreSQL commands like COPY FROM PROGRAM, which can execute arbitrary system commands on the database server.

The attack flow involves manipulating the agent call tool, information extraction, schema linking, SQL generation, and finally SQL execution stages to run malicious SQL commands remotely.

Impact Analysis

This vulnerability can have severe impacts including remote code execution on the PostgreSQL database server hosting openchatbi.

  • Execution of arbitrary system commands on the database server.
  • Exfiltration of sensitive data through arbitrary SELECT queries.
  • Manipulation or destruction of data using DDL (Data Definition Language) or DML (Data Manipulation Language) statements.
  • Potential full compromise of the database server, which could be used as a pivot point for further attacks within the network.
Detection Guidance

This vulnerability can be detected by monitoring for unusual or malicious SQL commands executed on the PostgreSQL database, especially those involving the use of the `COPY FROM PROGRAM` command, which is not commonly used in normal operations.

Detection can also involve reviewing logs for SQL queries generated by the openchatbi Text2SQL workflow that include suspicious keywords or commands indicative of SQL injection or prompt injection.

Suggested commands to detect exploitation attempts include querying PostgreSQL logs for the presence of `COPY FROM PROGRAM` or other unexpected SQL commands:

  • grep -i 'COPY FROM PROGRAM' /var/log/postgresql/postgresql.log
  • psql -U [username] -d [database] -c "SELECT query, calls, total_time FROM pg_stat_statements WHERE query LIKE '%COPY FROM PROGRAM%';"
  • Check application logs for suspicious prompts or JSON outputs manipulated by the attacker in the multi-stage Text2SQL workflow.
Compliance Impact

The CVE-2026-5586 vulnerability allows attackers to execute arbitrary SQL commands and system commands on the PostgreSQL database server used by openchatbi. This can lead to unauthorized data exfiltration, data manipulation, and full database compromise.

Such unauthorized access and potential data breaches can result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect sensitive personal and health information.

Specifically, the ability to exfiltrate sensitive data or manipulate/destroy data could violate confidentiality, integrity, and availability requirements mandated by these regulations.

Therefore, organizations using vulnerable versions of openchatbi may face compliance risks and potential legal and financial consequences if this vulnerability is exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5586. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart