CVE-2026-7206

Received Received - Intake

SQL Injection in dubydu sqlite-mcp extract_to_json Function

Publication date: 2026-04-28

Last updated on: 2026-04-29

Assigner: VulDB

Description

A security flaw has been discovered in dubydu sqlite-mcp up to 0.1.0. The affected element is the function extract_to_json of the file src/entry.py. Performing a manipulation of the argument output_filename results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The patch is named a5580cb992f4f6c308c9ffe6442b2e76709db548. Applying a patch is the recommended action to fix this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-28

Last Modified

2026-04-29

Generated

2026-06-16

AI Q&A

2026-04-28

EPSS Evaluated

2026-06-15

NVD

CVE-2026-7206

EUVD

EUVD-2026-25963

Affected Vendors & Products

Vendor	Product	Version / Range
dubydu	sqlite-mcp	to 0.1.0 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

The vulnerability CVE-2026-7206 affects the extract_to_json function in the sqlite-mcp project. It allows an attacker to perform a path traversal attack by manipulating the output_filename argument, enabling arbitrary JSON file writes outside the intended database directory. Although the tool enforces a .json suffix, it does not properly canonicalize or restrict the output path, so an attacker can specify paths like ../../../../tmp/sqlite_dump.json to write database contents to arbitrary writable locations accessible by the service account.

This flaw can lead to leakage of database contents (confidentiality impact), overwriting arbitrary .json files (integrity impact), and potentially affect availability depending on the files overwritten. The vulnerability also involves a risk of SQL injection through the table_name parameter, which was addressed in the patch.

The recommended fix involves sanitizing filenames to prevent directory traversal, validating output paths to ensure they remain within the database directory, and validating the table_name parameter to prevent SQL injection.

Impact Analysis

This vulnerability can impact you by allowing an attacker to write arbitrary JSON files containing database contents to any writable location accessible by the service running sqlite-mcp. This can lead to unauthorized disclosure of sensitive database information, compromising confidentiality.

Additionally, an attacker could overwrite important JSON files, affecting data integrity, and potentially disrupt system operations or services by overwriting critical files, impacting availability.

Because the exploit can be triggered remotely without authentication, it increases the risk of unauthorized access and manipulation of data.

Detection Guidance

Detection of this vulnerability involves monitoring for unusual or unauthorized use of the `extract_to_json` function, especially calls that attempt to write JSON files outside the intended database directory via path traversal sequences in the `output_filename` parameter.

A proof of concept involves invoking the tool with an escaped output path such as `../../../../tmp/sqlite_mcp_dump.json` which causes the database dump to be written outside the repository or database directory.

To detect exploitation attempts, you can look for file creation or modification events in unexpected directories (e.g., `/tmp/`) with `.json` files related to sqlite-mcp.

Suggested commands for detection include:

Using system audit or file monitoring tools (e.g., `auditctl` on Linux) to watch for writes to `.json` files outside the database directory.
Searching logs or monitoring JSON-RPC calls to the MCP server for suspicious `output_filename` parameters containing directory traversal patterns like `../`.
Using commands like `find /tmp -name '*.json' -mtime -1` to find recently created JSON files in temporary or unusual locations.
If you have access to the MCP server logs or can intercept JSON-RPC requests, inspect calls to `extract_to_json` for unsafe output paths.

Mitigation Strategies

The primary and recommended mitigation is to apply the official patch identified by commit a5580cb992f4f6c308c9ffe6442b2e76709db548 which addresses both path traversal and SQL injection vulnerabilities.

Key immediate mitigation steps include:

Sanitize and restrict user-supplied output filenames by stripping directory components (e.g., using `os.path.basename()`) to prevent directory traversal.
Ensure all file writes are anchored within a fixed, allowlisted database directory and validate absolute paths to prevent escapes.
Validate the `table_name` parameter to ensure it is a valid identifier and prevent SQL injection.
Run the MCP server with minimal filesystem privileges to limit the impact of any exploitation.
Avoid allowing user-controlled output paths if possible.

If patching immediately is not possible, monitor for suspicious activity as described and restrict access to the MCP server to trusted users only.

Compliance Impact

The vulnerability allows an attacker to write arbitrary JSON files containing database contents outside the intended directory, potentially leaking sensitive data. This impacts confidentiality, integrity, and availability of the database contents.

Such unauthorized data exposure and manipulation could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data confidentiality and integrity.

Specifically, the ability to extract and write database contents arbitrarily increases the risk of data breaches, which are critical compliance violations under these standards.

Mitigations such as restricting file writes to fixed directories, validating output paths, and minimizing filesystem privileges are necessary to maintain compliance.

Hi! I’m here to help you understand CVE-2026-7206. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-7206

SQL Injection in dubydu sqlite-mcp extract_to_json Function

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart