CVE-2026-25879

Deferred Deferred - Pending Action

SQL Injection via Prompt Injection in Langroid SQLChatAgent

Publication date: 2026-06-01

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When configured with a database role that has privileges enabling code execution or filesystem access (e.g., PostgreSQL pg_execute_server_program, MySQL FILE, MSSQL xp_cmdshell), an attacker who can shape the agent's input — including indirectly via data returned to the LLM — can coerce execution of dialect-specific primitives such as `COPY ... FROM PROGRAM`, achieving RCE on the database host. Fixed in v0.63.0 by defaulting SQLChatAgent to a SELECT-only sqlglot-parsed statement allowlist with a dialect-aware dangerous-pattern blocklist; allow_dangerous_operations=True restores the previous unrestricted behavior for trusted deployments.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-01

Last Modified

2026-06-02

Generated

2026-06-22

AI Q&A

2026-06-02

EPSS Evaluated

2026-06-21

NVD

CVE-2026-25879

Affected Vendors & Products

Vendor	Product	Version / Range
langroid	sqlchatagent	to 0.63.0 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-94	The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability exists in Langroid's SQLChatAgent prior to version 0.63.0. The agent executes SQL queries generated by a large language model (LLM), which can be influenced by prompt injection attacks. If the database role used by SQLChatAgent has privileges that allow code execution or filesystem access, an attacker who can manipulate the agent's input can coerce the execution of dangerous SQL commands. This can lead to remote code execution (RCE) on the database host by exploiting dialect-specific features like PostgreSQL's COPY ... FROM PROGRAM.

The issue was fixed in version 0.63.0 by restricting SQLChatAgent to only allow SELECT statements parsed by sqlglot and blocking dangerous patterns by default. However, the previous unrestricted behavior can be restored with a specific configuration for trusted deployments.

Impact Analysis

This vulnerability can have severe impacts including remote code execution on the database host. An attacker who successfully exploits this flaw can execute arbitrary code, potentially leading to full compromise of the database server.

Complete loss of confidentiality, integrity, and availability of the database.
Potential unauthorized access to sensitive data.
Possibility of further attacks on the internal network or connected systems.

Mitigation Strategies

To mitigate this vulnerability, upgrade Langroid to version 0.63.0 or later, where the SQLChatAgent defaults to a SELECT-only sqlglot-parsed statement allowlist with a dialect-aware dangerous-pattern blocklist.

Avoid configuring the SQLChatAgent with a database role that has privileges enabling code execution or filesystem access, such as PostgreSQL pg_execute_server_program, MySQL FILE, or MSSQL xp_cmdshell.

Do not enable allow_dangerous_operations=True unless in a trusted deployment environment, as this restores the previous unrestricted behavior that is vulnerable.

Detection Guidance

To detect this vulnerability on your system, you should first identify if you are running Langroid versions prior to 0.63.0, specifically the SQLChatAgent component that executes LLM-generated SQL without proper validation.

Detection can involve checking the version of Langroid installed and reviewing configurations to see if allow_dangerous_operations is enabled, which restores the vulnerable behavior.

Since the vulnerability involves execution of SQL commands generated by an LLM, monitoring for unusual or unexpected SQL queries, especially those containing dialect-specific primitives like PostgreSQL's COPY ... FROM PROGRAM, MySQL FILE privilege usage, or MSSQL xp_cmdshell calls, can help detect exploitation attempts.

Suggested commands include:

Check Langroid version: Use your package manager or inspect the installed package version to confirm if it is below 0.63.0.
Search logs for suspicious SQL commands: For PostgreSQL, grep logs for 'COPY ... FROM PROGRAM'; for MySQL, look for usage of FILE privilege; for MSSQL, search for 'xp_cmdshell' invocations.
Example command to search PostgreSQL logs: grep -i 'COPY.*FROM PROGRAM' /var/log/postgresql/postgresql.log
Example command to check MySQL logs for FILE usage: grep -i 'FILE' /var/log/mysql/mysql.log
Example command to check MSSQL logs for xp_cmdshell: grep -i 'xp_cmdshell' /var/opt/mssql/log/errorlog

Additionally, monitoring network traffic for unusual SQL queries or commands sent to the database server may help detect exploitation attempts.

Compliance Impact

This vulnerability allows remote code execution (RCE) on the database host by exploiting SQL execution capabilities influenced by prompt injection. Such unauthorized code execution can lead to unauthorized access, data breaches, and potential manipulation or exfiltration of sensitive data.

Given the high impact on confidentiality, integrity, and availability (CVSS score 9.8), this vulnerability could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Organizations using vulnerable versions of Langroid's SQLChatAgent should consider this a significant risk to regulatory compliance, especially if the database contains regulated data.

Hi! I’m here to help you understand CVE-2026-25879. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-25879

SQL Injection via Prompt Injection in Langroid SQLChatAgent

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart