{"data":{"id":"1115bfed-921e-4f8d-98eb-21e5f4756bb9","title":"CVE-2026-32949: SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a Se","summary":"SQLBot, an AI-based system for querying databases that uses RAG (retrieval-augmented generation, where it pulls in external data to answer questions), has a vulnerability in versions before 1.7.0 that lets attackers read any file from the server. An attacker can exploit the /api/v1/datasource/check endpoint by submitting a fake MySQL connection with a malicious setting, which tricks the server into reading and sending back sensitive files like /etc/passwd when it tries to verify the connection.","solution":"Update to version 1.7.0 or later. The source states: 'This issue was fixed in version 1.7.0.'","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-32949","publishedAt":"2026-03-20T05:16:14.387Z","cveId":"CVE-2026-32949","cweIds":["CWE-73","CWE-918"],"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["SQLBot"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-03-20T05:16:14.387Z","capecIds":["CAPEC-664"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}