Cyber Resilience

CVE-2026-32622

HighPublic PoCRCE

Published: 19 March 2026

Published
19 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0056 42.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32622 is a high-severity Improper Input Validation (CWE-20) vulnerability in Fit2Cloud Sqlbot. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-32622 is a Stored Prompt Injection vulnerability in SQLBot, an intelligent data query system based on a large language model and Retrieval-Augmented Generation (RAG). It affects versions 1.5.0 and below and chains three flaws: a missing permission check on the Excel upload API that allows any authenticated user to upload malicious terminology; unsanitized storage of terminology descriptions containing dangerous payloads; and a lack of semantic fencing when injecting terminology into the LLM's system prompt. Associated CWEs include CWE-20 (Improper Input Validation), CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), CWE-77 (Improper Neutralization of Special Elements used in an SQL Command), and CWE-862 (Missing Authorization).

Any authenticated user can exploit the vulnerability by uploading malicious terminology through the Excel upload API. The unsanitized payload is stored and later injected into the LLM's system prompt without semantic fencing, hijacking the model's reasoning to generate malicious PostgreSQL commands, such as COPY ... TO PROGRAM. This chain enables remote code execution on the database or application server with postgres user privileges. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The issue is fixed in SQLBot version 1.6.0. Additional details on the patch and mitigation are available in the GitHub security advisory at https://github.com/dataease/SQLBot/security/advisories/GHSA-m7q7-vhw9-q7m3 and the release notes at https://github.com/dataease/SQLBot/releases/tag/v1.6.0.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a Stored Prompt Injection vulnerability that chains three flaws: a missing permission check on the Excel upload API allowing any…

more

authenticated user to upload malicious terminology, unsanitized storage of terminology descriptions containing dangerous payloads, and a lack of semantic fencing when injecting terminology into the LLM's system prompt. Together, these flaws allow an attacker to hijack the LLM's reasoning to generate malicious PostgreSQL commands (e.g., COPY ... TO PROGRAM), ultimately achieving Remote Code Execution on the database or application server with postgres user privileges. The issue is fixed in v1.6.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: large language model, llm, prompt injection

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stored prompt injection vulnerability in web-based SQLBot application allows remote authenticated users to upload malicious payloads via Excel API, leading to unsanitized injection into LLM prompts and generation of malicious PostgreSQL commands for RCE, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32949Same product: Fit2Cloud Sqlbot
CVE-2026-33324Same product: Fit2Cloud Sqlbot
CVE-2026-32950Same product: Fit2Cloud Sqlbot
CVE-2025-70981Same vendor: Fit2Cloud
CVE-2025-56413Same vendor: Fit2Cloud
CVE-2025-54424Same vendor: Fit2Cloud
CVE-2026-44555Shared CWE-862
CVE-2026-26015Shared CWE-77
CVE-2026-45350Shared CWE-862
CVE-2025-34267Shared CWE-77

Affected Assets

fit2cloud
sqlbot
≤ 1.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations on the Excel upload API to prevent any authenticated user from uploading malicious terminology.

prevent

Requires validation of uploaded terminology descriptions to prevent unsanitized storage of dangerous payloads that could lead to prompt injection.

prevent

Filters terminology content before injection into the LLM system prompt to implement semantic fencing and block hijacking of model reasoning for malicious SQL generation.

References