CVE-2026-7023
SQL Injection in ByteDance coze-studio DatabaseTool Enables Remote Exploit
Publication date: 2026-04-26
Last updated on: 2026-05-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coze | coze_studio | to 0.5.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive internal database information, such as authentication hashes and tenant data, breaking tenant isolation.
Attackers can exploit this remotely with minimal privileges and no user interaction, potentially leading to data breaches.
There is also a risk of Remote Code Execution if the attacker combines this vulnerability with other SQL features like INTO OUTFILE.
Can you explain this vulnerability to me?
CVE-2026-7023 is a SQL injection vulnerability in the ExecuteSQL function of the ByteDance coze-studio database tool up to version 0.5.1. The vulnerability allows attackers to bypass Web Application Firewall (WAF) filters that are intended to block access to sensitive system tables by exploiting flaws in SQL validation.
Specifically, the vulnerability arises because the application converts SQL queries to uppercase to detect restricted tokens, but this fails when MySQL object identifiers are enclosed in backticks. Additionally, a regex-based whitelist validation can be bypassed by injecting parentheses around table names, causing the validator to miss restricted tables.
These bypasses enable unauthorized or underprivileged attackers to execute arbitrary SQL queries with root-level privileges on the internal database, potentially retrieving sensitive data such as password hashes and cross-tenant schema information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SQL injection in the ExecuteSQL function of the Coze Agent database tool, allowing unauthorized SQL queries to be executed. Detection can focus on monitoring for suspicious SQL queries that attempt to bypass filters using backticks or parentheses around table names, especially queries targeting system tables like `mysql.user`.
One approach is to inspect logs or network traffic for SQL queries containing unusual patterns such as backticked system table references (e.g., `` `mysql`.`user` ``) or queries with parentheses around table names (e.g., FROM (`mysql`.`user`)).
Suggested commands to detect such activity might include:
- Using grep or similar tools on application logs to find suspicious SQL queries: grep -iE "FROM \(`mysql`\.\`user\`\)|SELECT.*authentication_string" /path/to/logs
- Monitoring network traffic for SQL payloads with backticks or parentheses using tools like tcpdump or Wireshark with filters for SQL keywords and special characters.
- If the database supports query logging, enable it and search for queries matching the bypass patterns described.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade the affected software to a version later than 0.5.1 where the vulnerability has been patched.
- Restrict access to the vulnerable ExecuteSQL function by limiting user privileges and network access to trusted users and systems only.
- Implement additional input validation and sanitization on SQL queries to prevent bypass techniques involving backticks and parentheses.
- Monitor logs and network traffic for suspicious SQL injection attempts as described, and respond to any detected exploitation attempts.
- Consider deploying Web Application Firewall (WAF) rules to detect and block SQL injection patterns specific to this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to sensitive internal database information, including password hashes and cross-tenant schema data, due to SQL injection flaws in the ExecuteSQL function.
Such unauthorized data access and potential data breaches can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over sensitive personal and health information.
Exploitation of this vulnerability could result in exposure of confidential data, violating confidentiality and integrity requirements mandated by these standards.