CVE-2026-32950: SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a cr
Summary
SQLBot, an intelligent data query system that uses a large language model and RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions), has a critical SQL injection vulnerability (a bug where an attacker tricks the system into running unintended database commands) in versions before 1.7.0 that allows authenticated users to execute arbitrary code on the backend server. The vulnerability exists because Excel sheet names are directly inserted into database commands without proper sanitization (cleaning/validation), and attackers can exploit this by uploading specially crafted files to gain complete control of the system.
Solution / Mitigation
Update to version 1.7.0 or later, where this issue has been fixed.
Vulnerability Details
EPSS: 0.0%
March 20, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-32950
First tracked: March 20, 2026 at 08:07 AM
Classified by LLM (prompt v3) · confidence: 95%