CVE-2026-33324
Analyzed Analyzed - Analysis Complete
Prompt Injection in SQLBot Text-to-SQL System

Publication date: 2026-05-05

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided question parameter is directly concatenated into the LLM prompt without filtering or escaping, and the SQL extracted from the LLM response is executed against the database without validation or sanitization. An authenticated attacker can craft a malicious question to manipulate the LLM into generating and executing arbitrary SQL statements. When connected to a PostgreSQL data source, this can lead to remote code execution via COPY FROM PROGRAM. This issue has been fixed in version 1.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33324
EUVD
EUVD-2026-27446
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fit2cloud sqlbot to 1.7.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an authenticated attacker to execute arbitrary SQL commands and potentially remote code execution, which can lead to unauthorized data access, data leakage, or data deletion.

Such unauthorized access and manipulation of sensitive data can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

Therefore, exploitation of this vulnerability could compromise the security and privacy requirements mandated by these regulations.

Executive Summary

CVE-2026-33324 is a critical prompt injection vulnerability in the SQLBot Text2SQL chat interface versions 1.7.0 and earlier. The vulnerability arises because the user-provided question parameter is directly concatenated into the large language model (LLM) prompt without any filtering or escaping.

This allows an authenticated attacker to craft malicious input that manipulates the LLM into generating arbitrary SQL statements. These SQL statements are then executed against the database without validation or sanitization.

When SQLBot is connected to a PostgreSQL data source, this can lead to remote code execution (RCE) through PostgreSQL's COPY FROM PROGRAM feature, enabling attackers to run system-level commands.

The vulnerability has been fixed in version 1.7.1.

Impact Analysis

This vulnerability can have severe impacts including unauthorized execution of arbitrary SQL commands on your database.

An attacker can exploit this flaw to perform remote code execution on the server hosting the database, potentially leading to full system compromise.

Other impacts include data leakage, data deletion, and bypassing of system prompt restrictions, which can compromise the confidentiality, integrity, and availability of your data and systems.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious or unexpected SQL commands being executed through the SQLBot Text2SQL chat interface, especially those that include system-level instructions or use PostgreSQL's COPY FROM PROGRAM feature.

Since the vulnerability is exploited via the POST /api/v1/chat/question API endpoint, inspecting logs for unusual or malformed requests to this endpoint can help identify potential exploitation attempts.

You can also check the version of SQLBot installed; versions 1.7.0 and earlier are vulnerable.

  • Check SQLBot version: run the command or check the application metadata to confirm if the version is 1.7.0 or earlier.
  • Inspect web server or application logs for POST requests to /api/v1/chat/question containing suspicious payloads.
  • Monitor database logs for unexpected SQL commands, especially those invoking COPY FROM PROGRAM or other system-level commands.
Mitigation Strategies

The immediate and most effective mitigation step is to upgrade SQLBot to version 1.7.1 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the vulnerable API endpoint (/api/v1/chat/question) to trusted users only, and monitor for suspicious activity.

Implement network-level controls such as firewall rules to limit access to the SQLBot service.

Review and harden database permissions to minimize the impact of any potential SQL injection or command execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33324. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart