External risk intelligence

SQLBot lets attackers steal data or take control by manipulating database queries.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-33324

An internal attacker can manipulate SQLBot’s chat interface to execute unauthorized commands on the underlying database server. This could allow them to take full control of the server and compromise sensitive company data.

2Halo Surface Signal

SQL Injection

Fit2cloud Sqlbot

before 1.7.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-33324

The vulnerability affects a specialized Text-to-SQL chat application typically deployed for internal organizational data analysis. It requires authenticated access and is commonly located behind corporate network controls rather than being exposed as a public-facing internet service.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

SQLBot's Text-to-SQL interface has a critical vulnerability allowing prompt injection. This means an authenticated attacker could craft a malicious question to trick the system into executing arbitrary SQL commands, potentially leading to remote code execution when connected to a PostgreSQL database. Teams should pay close attention to this because it bypasses standard security checks and can have severe consequences.

  • Remote code execution possible.
  • Affected systems could be compromised.
  • Requires authenticated access.

Attack Path

How an attacker could exploit the issue

An authenticated attacker can exploit this vulnerability by submitting a specially crafted question to the Text2SQL chat interface. This question manipulates the underlying Large Language Model to generate and execute malicious SQL commands, which, when connected to a PostgreSQL data source, can result in remote code execution.

  • Requires authenticated access.
  • Targets Text2SQL chat interface.
  • PostgreSQL connection essential for RCE.

Live Threat

Current exploitation, exposure, and threat context

This SQL injection vulnerability in SQLBot allows an authenticated attacker to execute arbitrary SQL commands by crafting a malicious user question, leading to remote code execution when connected to PostgreSQL. While the path to exploitation is direct, the threat picture for this specific vulnerability is likely limited because SQLBot is typically deployed in internal environments and requires prior authentication.

  • Exploitation may be uncommon.
  • No public exploit code exists.
  • KEV status is not listed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate patching of SQLBot to version 1.7.1 to address the critical prompt injection vulnerability. If patching is delayed, isolate affected systems and implement strict input validation and query sanitization for all user-provided data.

  • Update SQLBot to version 1.7.1.
  • Block all incoming traffic to SQLBot.
  • Monitor PostgreSQL logs for unusual queries.

Frequently asked questions

What is SQLBot and its primary function?

SQLBot is an intelligent Text-to-SQL system that uses large language models and Retrieval-Augmented Generation (RAG) to convert natural language into SQL queries. It allows users to interact with databases by asking questions in plain text, rather than writing SQL code.

How does the SQLBot prompt injection vulnerability (CVE-2026-33324) occur?

The vulnerability arises because user-provided questions are directly concatenated into the LLM prompt without proper filtering or escaping. The SQL extracted from the LLM's response is also executed without validation or sanitization.

What is the weakness class associated with CVE-2026-33324?

The weakness class associated with this vulnerability is CWE-89, which denotes SQL injection.

What is the potential impact of exploiting CVE-2026-33324 on a PostgreSQL data source?

When SQLBot is connected to a PostgreSQL data source, an authenticated attacker can exploit this vulnerability to achieve remote code execution via COPY FROM PROGRAM.

What is the recommended action to mitigate the SQLBot vulnerability?

The recommended action is to update SQLBot to version 1.7.1, which addresses the vulnerability. If immediate patching is not possible, isolating affected systems and implementing strict input validation and query sanitization are suggested as interim measures.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified