CVE-2026-50180
Received Received - Intake

SQL Injection Bypass in Langroid Framework

Vulnerability report for CVE-2026-50180, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.64.0, `SQLChatAgent` in `langroid` ships a `_validate_query` defense-in-depth layer whose `_DANGEROUS_SQL_PATTERNS` regex blocklist enumerates dangerous SQL primitives by specific function name. The list misses the canonical PostgreSQL filesystem-disclosure family `pg_read_file()`, `pg_stat_file()`, `pg_ls_logdir()`, `pg_ls_waldir()`, `pg_current_logfile()` (and similar `SELECT`-shaped functions in the same family). It also leaves SQL Server `OPENDATASOURCE` and SQLite `ATTACH '<file>' AS x` (DATABASE keyword omitted) unblocked. An attacker able to shape the LLM's generated SQL (directly via prompt input or transitively via prompt-injection in data the LLM ingests) can read arbitrary files from the PostgreSQL host through ordinary `SELECT` queries, even with the agent's strict default configuration (`allow_dangerous_operations=False`, `allowed_statement_types=['SELECT']`). The payloads survive the statement-type allowlist (each is a `SELECT`) and pass through the regex blocklist (none of the function names match), then reach the live SQLAlchemy engine via `SQLChatAgent.run_query`. Version 0.64.0 contains a patch for the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
langroid langroid to 0.64.0 (exc)
langroid langroid 0.64.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-50180 is a security vulnerability in the SQLChatAgent component of the langroid framework (versions up to 0.63.0). The vulnerability arises because the _validate_query function uses a regex blocklist to prevent dangerous SQL functions, but this blocklist misses several critical PostgreSQL filesystem-disclosure functions such as pg_read_file(), pg_stat_file(), pg_ls_logdir(), pg_ls_waldir(), and pg_current_logfile(). It also misses SQL Server's OPENDATASOURCE and SQLite's ATTACH '<file>' syntax. Because these functions are shaped like SELECT statements, they bypass both the blocklist and the allowed statement types, allowing an attacker who can influence the SQL generated by the large language model to read arbitrary files from the PostgreSQL host or perform similar unauthorized operations.

Impact Analysis

This vulnerability can allow an attacker to read arbitrary files from the PostgreSQL host by bypassing the security checks in the SQLChatAgent. This means sensitive files such as configuration files, logs, or other critical data could be exposed. In environments using SQL Server or SQLite, similar unauthorized access or lateral movement could occur through unblocked functions like OPENDATASOURCE or ATTACH. Such unauthorized data access can lead to data breaches, exposure of sensitive information, and potential further exploitation within the affected system.

Detection Guidance

Detection of this vulnerability involves identifying if the vulnerable versions of langroid (<= 0.63.0) are in use, specifically the SQLChatAgent component with the incomplete _validate_query blocklist.

One approach is to monitor or log SQL queries generated by the LLM to check for usage of the dangerous PostgreSQL functions that were missing from the blocklist, such as pg_read_file(), pg_stat_file(), pg_ls_logdir(), pg_ls_waldir(), and pg_current_logfile().

Suggested commands include searching logs or query histories for these function names, for example using grep on log files:

  • grep -E 'pg_read_file|pg_stat_file|pg_ls_logdir|pg_ls_waldir|pg_current_logfile' /path/to/sql/query/logs

Additionally, checking the version of langroid installed can help detect if the vulnerable version is present:

  • pip show langroid

If the version is 0.63.0 or earlier, the system is vulnerable.

Mitigation Strategies

The primary mitigation step is to upgrade langroid to version 0.64.0 or later, where the vulnerability has been patched by expanding the regex blocklist to cover all dangerous PostgreSQL filesystem-disclosure functions and other risky SQL patterns.

Until the upgrade can be applied, consider restricting or monitoring SQL queries generated by the SQLChatAgent to detect and block usage of the dangerous functions that bypass the blocklist.

Review and tighten any configurations related to allowed SQL statement types and dangerous operations, although the default settings (allow_dangerous_operations=False, allowed_statement_types=['SELECT']) are insufficient alone to prevent exploitation.

Compliance Impact

This vulnerability allows an attacker to read arbitrary files from the PostgreSQL host by bypassing the SQLChatAgent's query validation. Such unauthorized access to sensitive files and data can lead to exposure of personal or protected information.

Exposure of sensitive data due to this vulnerability could result in non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and health-related information.

Therefore, exploitation of this vulnerability could compromise the confidentiality and integrity of regulated data, potentially leading to legal and regulatory consequences for affected organizations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50180. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart