CVE-2026-32622
Published: 19 March 2026
Description
SQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a Stored Prompt Injection vulnerability that chains three flaws: a missing permission check on the Excel upload API allowing any…
more
authenticated user to upload malicious terminology, unsanitized storage of terminology descriptions containing dangerous payloads, and a lack of semantic fencing when injecting terminology into the LLM's system prompt. Together, these flaws allow an attacker to hijack the LLM's reasoning to generate malicious PostgreSQL commands (e.g., COPY ... TO PROGRAM), ultimately achieving Remote Code Execution on the database or application server with postgres user privileges. The issue is fixed in v1.6.0.
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on the Excel upload API to prevent any authenticated user from uploading malicious terminology.
Requires validation of uploaded terminology descriptions to prevent unsanitized storage of dangerous payloads that could lead to prompt injection.
Filters terminology content before injection into the LLM system prompt to implement semantic fencing and block hijacking of model reasoning for malicious SQL generation.
Security SummaryAI
CVE-2026-32622 is a Stored Prompt Injection vulnerability in SQLBot, an intelligent data query system based on a large language model and Retrieval-Augmented Generation (RAG). It affects versions 1.5.0 and below and chains three flaws: a missing permission check on the Excel upload API that allows any authenticated user to upload malicious terminology; unsanitized storage of terminology descriptions containing dangerous payloads; and a lack of semantic fencing when injecting terminology into the LLM's system prompt. Associated CWEs include CWE-20 (Improper Input Validation), CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), CWE-77 (Improper Neutralization of Special Elements used in an SQL Command), and CWE-862 (Missing Authorization).
Any authenticated user can exploit the vulnerability by uploading malicious terminology through the Excel upload API. The unsanitized payload is stored and later injected into the LLM's system prompt without semantic fencing, hijacking the model's reasoning to generate malicious PostgreSQL commands, such as COPY ... TO PROGRAM. This chain enables remote code execution on the database or application server with postgres user privileges. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The issue is fixed in SQLBot version 1.6.0. Additional details on the patch and mitigation are available in the GitHub security advisory at https://github.com/dataease/SQLBot/security/advisories/GHSA-m7q7-vhw9-q7m3 and the release notes at https://github.com/dataease/SQLBot/releases/tag/v1.6.0.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Matched keywords: large language model, prompt injection, llm, llm
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored prompt injection vulnerability in web-based SQLBot application allows remote authenticated users to upload malicious payloads via Excel API, leading to unsanitized injection into LLM prompts and generation of malicious PostgreSQL commands for RCE, directly enabling exploitation of a public-facing application.