Cyber Resilience

CVE-2026-32950

HighPublic PoCRCE

Published: 20 March 2026

Published
20 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0088 54.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32950 is a high-severity OS Command Injection (CWE-78) vulnerability in Fit2Cloud Sqlbot. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Data-Related Vulnerabilities risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32950 is a critical SQL injection vulnerability in SQLBot, an intelligent data query system based on a large language model and retrieval-augmented generation (RAG), affecting versions prior to 1.7.0. The issue occurs in the /api/v1/datasource/uploadExcel endpoint due to two root causes: Excel sheet names are concatenated directly into PostgreSQL table names without sanitization (datasource.py#L351), and these table names are embedded into COPY SQL statements via f-strings rather than parameterized queries (datasource.py#L385-L388). Rated at CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-78 (OS Command Injection) and CWE-89 (SQL Injection), it enables remote code execution (RCE).

Any authenticated user, even those with the lowest privileges, can exploit the vulnerability to fully compromise the backend server. The attack employs a two-stage technique to bypass the 31-character sheet name limit: first, uploading a normal Excel file whose data rows contain shell commands, followed by an XML-tampered file whose sheet name injects a TO PROGRAM 'sh' clause into the SQL. Confirmed impacts include arbitrary command execution as the postgres user (uid=999), sensitive file exfiltration (e.g., /etc/passwd, /etc/shadow), and complete PostgreSQL database takeover.

The vulnerability was addressed in SQLBot version 1.7.0. Mitigation details are outlined in the GitHub security advisory (GHSA-7hww-8rj5-7rmm), release notes for v1.7.0, and the fixing commit (39f2203cec4bb4b0aa541710733fe7608e3d3c48). Security practitioners should upgrade to 1.7.0 or later and review access controls for the affected endpoint.

As an LLM-based system, SQLBot's flaw highlights risks in AI/ML-integrated tools handling untrusted uploads and database interactions, though no real-world exploitation has been reported in available data.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a critical SQL Injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that enables Remote Code Execution (RCE), allowing any authenticated user (even…

more

the lowest-privileged) to fully compromise the backend server. The root cause is twofold: Excel Sheet names are concatenated directly into PostgreSQL table names without sanitization (datasource.py#L351), and those table names are embedded into COPY SQL statements via f-strings instead of parameterized queries (datasource.py#L385-L388). An attacker can bypass the 31-character Sheet name limit using a two-stage technique—first uploading a normal file whose data rows contain shell commands, then uploading an XML-tampered file whose Sheet name injects a TO PROGRAM 'sh' clause into the SQL. Confirmed impacts include arbitrary command execution as the postgres user (uid=999), sensitive file exfiltration (e.g., /etc/passwd, /etc/shadow), and complete PostgreSQL database takeover. This issue has been fixed in version 1.7.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Data-Related Vulnerabilities
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: large language model

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1003.008 /etc/passwd and /etc/shadow Credential Access
Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking.
Why these techniques?

SQL injection in public-facing API endpoint (T1190) enables RCE via Unix shell commands (T1059.004) as postgres user, facilitating direct exfiltration of credentials from /etc/passwd and /etc/shadow (T1003.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33324Same product: Fit2Cloud Sqlbot
CVE-2026-32622Same product: Fit2Cloud Sqlbot
CVE-2026-32949Same product: Fit2Cloud Sqlbot
CVE-2025-56413Same vendor: Fit2Cloud
CVE-2025-70981Same vendor: Fit2Cloud
CVE-2025-54424Same vendor: Fit2Cloud
CVE-2026-46624Shared CWE-78, CWE-89
CVE-2026-31975Shared CWE-78
CVE-2026-40933Shared CWE-78
CVE-2026-23525Same vendor: Fit2Cloud

Affected Assets

fit2cloud
sqlbot
≤ 1.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted Excel sheet names and data before concatenation into PostgreSQL table names and COPY statements, preventing SQL injection and RCE.

prevent

Ensures timely remediation of known flaws like this SQL injection vulnerability fixed in SQLBot 1.7.0 via patching and updates.

prevent

Restricts information inputs such as sheet name lengths and characters to block injection payloads and the two-stage bypass technique.

References