CVE-2026-33324
Prompt Injection in SQLBot Text-to-SQL System
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dataease | sqlbot | to 1.7.1 (exc) |
| dataease | sqlbot | 1.7.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33324 is a critical prompt injection vulnerability in the SQLBot Text2SQL chat interface versions 1.7.0 and earlier. The vulnerability arises because the user-provided question parameter is directly concatenated into the large language model (LLM) prompt without any filtering or escaping.
This allows an authenticated attacker to craft malicious input that manipulates the LLM into generating arbitrary SQL statements. These SQL statements are then executed against the database without validation or sanitization.
When SQLBot is connected to a PostgreSQL data source, this can lead to remote code execution (RCE) through PostgreSQL's COPY FROM PROGRAM feature, enabling attackers to run system-level commands.
The vulnerability has been fixed in version 1.7.1.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized execution of arbitrary SQL commands on your database.
An attacker can exploit this flaw to perform remote code execution on the server hosting the database, potentially leading to full system compromise.
Other impacts include data leakage, data deletion, and bypassing of system prompt restrictions, which can compromise the confidentiality, integrity, and availability of your data and systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious or unexpected SQL commands being executed through the SQLBot Text2SQL chat interface, especially those that include system-level instructions or use PostgreSQL's COPY FROM PROGRAM feature.
Since the vulnerability is exploited via the POST /api/v1/chat/question API endpoint, inspecting logs for unusual or malformed requests to this endpoint can help identify potential exploitation attempts.
You can also check the version of SQLBot installed; versions 1.7.0 and earlier are vulnerable.
- Check SQLBot version: run the command or check the application metadata to confirm if the version is 1.7.0 or earlier.
- Inspect web server or application logs for POST requests to /api/v1/chat/question containing suspicious payloads.
- Monitor database logs for unexpected SQL commands, especially those invoking COPY FROM PROGRAM or other system-level commands.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to upgrade SQLBot to version 1.7.1 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, restrict access to the vulnerable API endpoint (/api/v1/chat/question) to trusted users only, and monitor for suspicious activity.
Implement network-level controls such as firewall rules to limit access to the SQLBot service.
Review and harden database permissions to minimize the impact of any potential SQL injection or command execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker to execute arbitrary SQL commands and potentially remote code execution, which can lead to unauthorized data access, data leakage, or data deletion.
Such unauthorized access and manipulation of sensitive data can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.
Therefore, exploitation of this vulnerability could compromise the security and privacy requirements mandated by these regulations.