Compliance Impact

The vulnerability allows remote code execution through unsafe evaluation of user-controlled input, which can lead to unauthorized access, data manipulation, or system compromise.

Such security weaknesses can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations to prevent unauthorized access and data breaches.

Exploitation of this vulnerability could result in violations of these regulations due to potential exposure or alteration of protected data, failure to maintain system integrity, and inadequate security controls.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code on the server hosting the vulnerable premsql service remotely. This can lead to full compromise of the server, including unauthorized access, data theft, data manipulation, or disruption of service.

Because the attacker can run any system command, they could install malware, create backdoors, or pivot to other parts of the network, severely impacting the security and integrity of your systems.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-5594 is a remote code execution vulnerability in the premAI-io premsql library (up to version 0.2.1). It occurs because the application unsafely uses Python's eval() function on the raw output of a language model (LLM) without proper validation. Specifically, the eval() function is called on a string returned by the LLM after replacing JSON null with Python None. An attacker can exploit this by injecting malicious code into the LLM's output, which is then executed on the server.

The vulnerability is located in the function eval of the file premsql/agents/baseline/workers/followup.py. By sending crafted input (prompt injection), an attacker can manipulate the LLM to output arbitrary Python code, which the server executes, leading to remote code execution.

A proof-of-concept exploit demonstrates this by sending a JSON payload that causes the server to execute system commands such as launching the calculator application (calc) on Windows.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to exploit the remote code execution flaw using crafted HTTP POST requests to the vulnerable service endpoint `/completion` on port 1111.

A proof-of-concept Python script sends two requests: first a benign JSON payload to initialize the service, then a crafted JSON payload that injects Python code to be executed on the server.

Detection involves sending a payload that attempts to execute a harmless system command, such as launching the calculator application (`calc`), and then verifying if the command was executed on the server.

• Use the provided PoC Python script which sends HTTP POST requests with JSON payloads to `http://127.0.0.1:1111/completion`.
• Check the server for side effects of the injected command, for example, if the calculator application (`calc`) is launched on a Windows server.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves removing the unsafe use of Python's `eval()` function on untrusted input generated by the language model.

Replace the vulnerable code that uses `eval()` with safe JSON parsing methods such as `json.loads()` to parse the LLM output.

Ensure that the prompt to the language model instructs it to output valid JSON to facilitate safe parsing.

If necessary, use JSON repair tools to fix malformed JSON before parsing to avoid fallback to unsafe evaluation.

• Patch the code from `result = eval(result.replace("null", "None"))` to `result = json.loads(result_str)`.
• Avoid executing any code derived from untrusted input without proper validation.

Useful 0 Not Useful 0