Cyber Resilience

CVE-2026-32949

HighPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32949 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Fit2Cloud Sqlbot. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

SQLBot, an intelligent data query system based on a large language model and retrieval-augmented generation (RAG), contains a server-side request forgery (SSRF) vulnerability in versions prior to 1.7.0. The flaw, tracked as CVE-2026-32949 and associated with CWE-73 and CWE-918, affects the /api/v1/datasource/check endpoint. It enables attackers to retrieve arbitrary system and application files from the server, such as /etc/passwd or configuration files, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

An unauthenticated remote attacker can exploit this vulnerability by configuring a forged MySQL data source with the malicious parameter extraJdbc="local_infile=1". When the SQLBot backend verifies connectivity to this data source, it connects to an attacker-controlled rogue MySQL server. During the MySQL handshake, the rogue server issues a malicious LOAD DATA LOCAL INFILE command, forcing the target server to read arbitrary files from its local filesystem and transmit their contents back to the attacker.

The issue was addressed in SQLBot version 1.7.0, as detailed in the project's GitHub security advisory (GHSA-wqj3-xcxf-j9m9), release notes, and the fixing commit (ff98514827bad99b8fa4b39385adecc6e3d44355). Security practitioners should upgrade to version 1.7.0 or later to mitigate the vulnerability.

This vulnerability is notable for its relevance to AI/ML-driven systems, as SQLBot leverages a large language model for data querying, highlighting SSRF risks in LLM-augmented applications. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-03-20.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a Server-Side Request Forgery (SSRF) vulnerability that allows an attacker to retrieve arbitrary system and application files from the server.…

more

An attacker can exploit the /api/v1/datasource/check endpoint by configuring a forged MySQL data source with a malicious parameter extraJdbc="local_infile=1". When the SQLBot backend attempts to verify the connectivity of this data source, an attacker-controlled Rogue MySQL server issues a malicious LOAD DATA LOCAL INFILE command during the MySQL handshake. This forces the target server to read arbitrary files from its local filesystem (such as /etc/passwd or configuration files) and transmit the contents back to the attacker. This issue was fixed in version 1.7.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: large language model

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

SSRF in unauthenticated public /api/v1/datasource/check endpoint directly enables remote file read of arbitrary local system files (/etc/passwd, configs) via malicious MySQL LOAD DATA LOCAL INFILE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32622Same product: Fit2Cloud Sqlbot
CVE-2026-33324Same product: Fit2Cloud Sqlbot
CVE-2026-32950Same product: Fit2Cloud Sqlbot
CVE-2025-70981Same vendor: Fit2Cloud
CVE-2025-56413Same vendor: Fit2Cloud
CVE-2025-54424Same vendor: Fit2Cloud
CVE-2025-56589Shared CWE-918
CVE-2026-33354Shared CWE-73
CVE-2026-45401Shared CWE-918
CVE-2026-30858Shared CWE-918

Affected Assets

fit2cloud
sqlbot
≤ 1.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of user-supplied inputs to the /api/v1/datasource/check endpoint, directly preventing forged MySQL datasource parameters like extraJdbc="local_infile=1" that enable SSRF.

prevent

SC-7 monitors and controls outbound communications at system boundaries, blocking connections from the SQLBot backend to attacker-controlled rogue MySQL servers during datasource verification.

prevent

AC-4 enforces information flow control policies that restrict application connections to only approved hosts and ports, mitigating SSRF via unauthorized datasource checks.

References