CVE-2026-10176
SQL Injection in Aider-AI Aider Code Generation Workflow
Publication date: 2026-05-31
Last updated on: 2026-05-31
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aider-ai | aider | 0.86.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Aider-AI Aider version 0.86.3 within the Code Generation Workflow component. It allows an attacker to perform SQL injection by manipulating the code generation process. Specifically, Aider initially generated safe parameterized SQL queries, but it later accepted attacker-supplied coding standards that replaced these safe queries with unsafe string formatting. This caused the tool to produce insecure SQL code that interpolates user input directly into SQL statements, making it vulnerable to injection attacks.
The attack can be executed remotely, and the exploit has been publicly disclosed. The root cause is that Aider accepts malicious or unsafe coding guidance that downgrades secure SQL handling practices, leading to the generation and potential committing of vulnerable code.
How can this vulnerability impact me? :
This vulnerability can lead to SQL injection attacks, which may allow attackers to execute arbitrary SQL commands on your database. This can result in unauthorized data access, data modification, or deletion, potentially compromising the confidentiality, integrity, and availability of your data.
Since the vulnerability arises from unsafe code generated by Aider, it can lead to insecure code being committed into your projects, increasing the risk of exploitation if the vulnerable code is deployed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unsafe SQL query generation through string interpolation instead of parameterized queries in Aider-AI Aider 0.86.3. To detect it on your system, you should review the generated code for insecure SQL patterns such as string formatting or f-strings used directly in SQL execution commands.
- Search your codebase for SQL execution commands that use string interpolation, for example, commands like: cursor.execute(f"SELECT * FROM users WHERE name LIKE '%{query}%'"), cursor.execute(f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'")
- Use code search tools or grep commands to find unsafe SQL patterns, e.g.: grep -r "cursor.execute(f" ./
- Audit recent commits or code changes generated by Aider for any direct string interpolation in SQL queries instead of parameterized queries.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately stop using unsafe string interpolation for SQL queries in code generated or modified by Aider. Instead, enforce the use of parameterized queries to prevent SQL injection.
- Review and revert any code changes that replaced safe parameterized SQL queries with unsafe string formatting.
- Implement code review policies to detect and block unsafe SQL query patterns before committing.
- If possible, restrict or disable the acceptance of external or attacker-supplied coding standards or inputs that could influence SQL query generation.
- Monitor updates from the Aider project for patches or fixes addressing this issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Aider-AI Aider 0.86.3 allows for SQL injection attacks, which can lead to unauthorized access, modification, or leakage of sensitive data stored in databases.
Such unauthorized data access or breaches can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and sensitive information.
If exploited, this vulnerability could result in exposure of personal data, violating confidentiality and integrity requirements mandated by these regulations.