CVE-2026-32949

HighPublic PoC

Published: 20 March 2026

Published

20 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0006 18.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32949 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Fit2Cloud Sqlbot. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of user-supplied inputs to the /api/v1/datasource/check endpoint, directly preventing forged MySQL datasource parameters like extraJdbc="local_infile=1" that enable SSRF.

SC-7 Boundary Protection good match

prevent

SC-7 monitors and controls outbound communications at system boundaries, blocking connections from the SQLBot backend to attacker-controlled rogue MySQL servers during datasource verification.

AC-4 Information Flow Enforcement partial match

prevent

AC-4 enforces information flow control policies that restrict application connections to only approved hosts and ports, mitigating SSRF via unauthorized datasource checks.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

SSRF in unauthenticated public /api/v1/datasource/check endpoint directly enables remote file read of arbitrary local system files (/etc/passwd, configs) via malicious MySQL LOAD DATA LOCAL INFILE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a Server-Side Request Forgery (SSRF) vulnerability that allows an attacker to retrieve arbitrary system and application files from the server.…

An attacker can exploit the /api/v1/datasource/check endpoint by configuring a forged MySQL data source with a malicious parameter extraJdbc="local_infile=1". When the SQLBot backend attempts to verify the connectivity of this data source, an attacker-controlled Rogue MySQL server issues a malicious LOAD DATA LOCAL INFILE command during the MySQL handshake. This forces the target server to read arbitrary files from its local filesystem (such as /etc/passwd or configuration files) and transmit the contents back to the attacker. This issue was fixed in version 1.7.0.

Deeper analysisAI

SQLBot, an intelligent data query system based on a large language model and retrieval-augmented generation (RAG), contains a server-side request forgery (SSRF) vulnerability in versions prior to 1.7.0. The flaw, tracked as CVE-2026-32949 and associated with CWE-73 and CWE-918, affects the /api/v1/datasource/check endpoint. It enables attackers to retrieve arbitrary system and application files from the server, such as /etc/passwd or configuration files, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

An unauthenticated remote attacker can exploit this vulnerability by configuring a forged MySQL data source with the malicious parameter extraJdbc="local_infile=1". When the SQLBot backend verifies connectivity to this data source, it connects to an attacker-controlled rogue MySQL server. During the MySQL handshake, the rogue server issues a malicious LOAD DATA LOCAL INFILE command, forcing the target server to read arbitrary files from its local filesystem and transmit their contents back to the attacker.

The issue was addressed in SQLBot version 1.7.0, as detailed in the project's GitHub security advisory (GHSA-wqj3-xcxf-j9m9), release notes, and the fixing commit (ff98514827bad99b8fa4b39385adecc6e3d44355). Security practitioners should upgrade to version 1.7.0 or later to mitigate the vulnerability.

This vulnerability is notable for its relevance to AI/ML-driven systems, as SQLBot leverages a large language model for data querying, highlighting SSRF risks in LLM-augmented applications. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-03-20.