CVE-2026-54760
Received Received - Intake

SQL Injection Bypass in Langroid SQLChatAgent

Vulnerability report for CVE-2026-54760, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.1, the `SQLChatAgent` SQL-injection mitigation, with default `allow_dangerous_operations=False`, combines a raw-text regex blocklist (`_DANGEROUS_SQL_PATTERNS`) with a `sqlglot` SELECT-only statement allowlist. The blocklist entries that target callable functions require the function name to be immediately followed by `\s*\(`. PostgreSQL accepts the same call with the name separated from `(` by a quoted identifier, an inline comment, or schema qualification. These forms evade the regex, still parse as `SELECT`, and execute the same PostgreSQL function. This restores the `pg_read_file` server-side file-read primitive that the prior CVE-2026-25879 / GHSA-pmch-g965-grmr fix was meant to block: the parent advisory fixed a missing `pg_read_file` blocklist entry, while this report shows that the added regex is bypassable. Version 0.65.1 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
langroid langroid to 0.65.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability affects the SQLChatAgent component in the langroid package (versions up to 0.65.0). It involves a bypass of the SQL injection mitigation that relies on a regex blocklist to detect dangerous PostgreSQL function calls like pg_read_file.

The regex pattern checks for function names immediately followed by a parenthesis, but PostgreSQL allows calling functions with the name separated from the parenthesis by quoted identifiers, inline comments, or schema qualifications. These forms evade the regex check.

As a result, attackers who can influence the SQL generated by the large language model can bypass the safety policy and execute dangerous functions such as pg_read_file, which can read server-side files if the PostgreSQL role has sufficient privileges.

The root cause is that the validation uses raw-text regex matching instead of analyzing the normalized Abstract Syntax Tree (AST) of the SQL statement, allowing these bypasses.

Version 0.65.1 of langroid fixes this issue by addressing the bypass.

Impact Analysis

This vulnerability can allow an attacker who can influence the SQL generated by the large language model to bypass SQL injection protections and execute dangerous PostgreSQL functions.

Specifically, it enables reading server-side files using the pg_read_file function, which can expose sensitive data stored on the database server.

The impact depends on the privileges of the PostgreSQL role used by the application; if it has superuser or pg_read_server_files privileges, the attacker can access critical files.

This can lead to data breaches, exposure of confidential information, and compromise of the server environment.

Detection Guidance

This vulnerability can be detected by monitoring for SQL queries that invoke dangerous PostgreSQL functions like pg_read_file using evasion techniques such as quoted identifiers, inline comments, or schema qualification.

Examples of suspicious queries to look for include:

  • SELECT "pg_read_file"('/etc/passwd')
  • SELECT pg_read_file/**/('/etc/passwd')
  • SELECT pg_catalog."pg_read_file"('/etc/passwd')

To detect such queries on your system or network, you can use database query logging or network packet inspection tools to filter for SQL statements containing these patterns.

For example, on PostgreSQL, enable query logging with:

  • ALTER SYSTEM SET log_statement = 'all';
  • SELECT pg_reload_conf();

Then search the logs for occurrences of pg_read_file with unusual syntax, such as using regex or grep commands:

  • grep -E 'pg_read_file|"pg_read_file"|pg_read_file/\*\*/' /var/log/postgresql/postgresql.log
Mitigation Strategies

The immediate mitigation is to upgrade the langroid package to version 0.65.1 or later, where this vulnerability is fixed.

Until the upgrade can be applied, consider restricting the PostgreSQL roles that have the ability to execute dangerous functions like pg_read_file, limiting privileges such as superuser or pg_read_server_files.

Additionally, review and harden any SQL generation or execution logic in your applications that use the SQLChatAgent component to avoid allowing user input to influence SQL queries without proper validation.

Long term, replacing regex-based dangerous function detection with AST-based validation after SQL parsing is recommended to prevent bypasses.

Compliance Impact

The vulnerability allows attackers to bypass SQL injection mitigations and execute dangerous PostgreSQL functions such as pg_read_file, enabling unauthorized server-side file reads. This can lead to exposure of sensitive data stored on the server.

Such unauthorized data access and potential data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.

Therefore, if exploited, this vulnerability could result in violations of these standards due to failure to adequately protect sensitive data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54760. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart