CVE-2026-25879
SQL Injection via Prompt Injection in Langroid SQLChatAgent
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langroid | sqlchatagent | to 0.63.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Langroid's SQLChatAgent prior to version 0.63.0. The agent executes SQL queries generated by a large language model (LLM), which can be influenced by prompt injection attacks. If the database role used by SQLChatAgent has privileges that allow code execution or filesystem access, an attacker who can manipulate the agent's input can coerce the execution of dangerous SQL commands. This can lead to remote code execution (RCE) on the database host by exploiting dialect-specific features like PostgreSQL's COPY ... FROM PROGRAM.
The issue was fixed in version 0.63.0 by restricting SQLChatAgent to only allow SELECT statements parsed by sqlglot and blocking dangerous patterns by default. However, the previous unrestricted behavior can be restored with a specific configuration for trusted deployments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows remote code execution (RCE) on the database host by exploiting SQL execution capabilities influenced by prompt injection. Such unauthorized code execution can lead to unauthorized access, data breaches, and potential manipulation or exfiltration of sensitive data.
Given the high impact on confidentiality, integrity, and availability (CVSS score 9.8), this vulnerability could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Organizations using vulnerable versions of Langroid's SQLChatAgent should consider this a significant risk to regulatory compliance, especially if the database contains regulated data.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution on the database host. An attacker who successfully exploits this flaw can execute arbitrary code, potentially leading to full compromise of the database server.
- Complete loss of confidentiality, integrity, and availability of the database.
- Potential unauthorized access to sensitive data.
- Possibility of further attacks on the internal network or connected systems.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Langroid to version 0.63.0 or later, where the SQLChatAgent defaults to a SELECT-only sqlglot-parsed statement allowlist with a dialect-aware dangerous-pattern blocklist.
Avoid configuring the SQLChatAgent with a database role that has privileges enabling code execution or filesystem access, such as PostgreSQL pg_execute_server_program, MySQL FILE, or MSSQL xp_cmdshell.
Do not enable allow_dangerous_operations=True unless in a trusted deployment environment, as this restores the previous unrestricted behavior that is vulnerable.