CVE-2026-32949

EUVD-2026-13541

20.03.2026, 05:16

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a Server-Side Request Forgery (SSRF) vulnerability that allows an attacker to retrieve arbitrary system and application files from the server. An attacker can exploit the /api/v1/datasource/check endpoint by configuring a forged MySQL data source with a malicious parameter extraJdbc="local_infile=1". When the SQLBot backend attempts to verify the connectivity of this data source, an attacker-controlled Rogue MySQL server issues a malicious LOAD DATA LOCAL INFILE command during the MySQL handshake. This forces the target server to read arbitrary files from its local filesystem (such as /etc/passwd or configuration files) and transmit the contents back to the attacker. This issue was fixed in version 1.7.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
fit2cloud	sqlbot	𝑥 < 1.7.0

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/dataease/SQLBot/security/advisories/GHSA-wqj3-xcxf-j9m9

Common Weakness Enumeration

CWE-73 - External Control of File Name or Path
The software allows user input to control or influence paths or file names that are used in filesystem operations.

References

https://github.com/dataease/SQLBot/commit/ff98514827bad99b8fa4b39385adecc6e3d44355

https://github.com/dataease/SQLBot/releases/tag/v1.7.0

https://github.com/dataease/SQLBot/security/advisories/GHSA-wqj3-xcxf-j9m9