CVE-2026-32950

HighPublic PoCRCE

Published: 20 March 2026

Published

20 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0021 43.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32950 is a high-severity OS Command Injection (CWE-78) vulnerability in Fit2Cloud Sqlbot. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of untrusted Excel sheet names and data before concatenation into PostgreSQL table names and COPY statements, preventing SQL injection and RCE.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of known flaws like this SQL injection vulnerability fixed in SQLBot 1.7.0 via patching and updates.

SI-9 Information Input Restrictions good match

prevent

Restricts information inputs such as sheet name lengths and characters to block injection payloads and the two-stage bypass technique.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1003.008 /etc/passwd and /etc/shadow Credential Access

Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing API endpoint (T1190) enables RCE via Unix shell commands (T1059.004) as postgres user, facilitating direct exfiltration of credentials from /etc/passwd and /etc/shadow (T1003.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a critical SQL Injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that enables Remote Code Execution (RCE), allowing any authenticated user (even…

the lowest-privileged) to fully compromise the backend server. The root cause is twofold: Excel Sheet names are concatenated directly into PostgreSQL table names without sanitization (datasource.py#L351), and those table names are embedded into COPY SQL statements via f-strings instead of parameterized queries (datasource.py#L385-L388). An attacker can bypass the 31-character Sheet name limit using a two-stage technique—first uploading a normal file whose data rows contain shell commands, then uploading an XML-tampered file whose Sheet name injects a TO PROGRAM 'sh' clause into the SQL. Confirmed impacts include arbitrary command execution as the postgres user (uid=999), sensitive file exfiltration (e.g., /etc/passwd, /etc/shadow), and complete PostgreSQL database takeover. This issue has been fixed in version 1.7.0.

Deeper analysisAI

CVE-2026-32950 is a critical SQL injection vulnerability in SQLBot, an intelligent data query system based on a large language model and retrieval-augmented generation (RAG), affecting versions prior to 1.7.0. The issue occurs in the /api/v1/datasource/uploadExcel endpoint due to two root causes: Excel sheet names are concatenated directly into PostgreSQL table names without sanitization (datasource.py#L351), and these table names are embedded into COPY SQL statements via f-strings rather than parameterized queries (datasource.py#L385-L388). Rated at CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-78 (OS Command Injection) and CWE-89 (SQL Injection), it enables remote code execution (RCE).

Any authenticated user, even those with the lowest privileges, can exploit the vulnerability to fully compromise the backend server. The attack employs a two-stage technique to bypass the 31-character sheet name limit: first, uploading a normal Excel file whose data rows contain shell commands, followed by an XML-tampered file whose sheet name injects a TO PROGRAM 'sh' clause into the SQL. Confirmed impacts include arbitrary command execution as the postgres user (uid=999), sensitive file exfiltration (e.g., /etc/passwd, /etc/shadow), and complete PostgreSQL database takeover.

The vulnerability was addressed in SQLBot version 1.7.0. Mitigation details are outlined in the GitHub security advisory (GHSA-7hww-8rj5-7rmm), release notes for v1.7.0, and the fixing commit (39f2203cec4bb4b0aa541710733fe7608e3d3c48). Security practitioners should upgrade to 1.7.0 or later and review access controls for the affected endpoint.

As an LLM-based system, SQLBot's flaw highlights risks in AI/ML-integrated tools handling untrusted uploads and database interactions, though no real-world exploitation has been reported in available data.