Cyber Resilience

CVE-2026-7023

LowPublic PoC

Published: 26 April 2026

Published
26 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 28.5th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-7023 is a low-severity Injection (CWE-74) vulnerability in Coze Coze Studio. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-7023 is a SQL injection vulnerability affecting ByteDance coze-studio versions up to 0.5.1. The issue resides in the ExecuteSQL function within the file backend/domain/memory/database/service/database_impl.go of the databaseTool component. Manipulation of this function leads to SQL injection, as classified under CWE-74 and CWE-89, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by an attacker with low privileges. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, enabling potential unauthorized access, modification, or disruption of database operations through injected SQL commands.

Advisories from VulDB, including recent entries on the vulnerability and related CTI, document the issue but note no response from the vendor despite early contact. No patches or official mitigations are mentioned. The exploit is publicly available via a GitHub Gist.

Notable context includes the public disclosure of the exploit, which may facilitate its use in attacks, with the vulnerability published on 2026-04-26.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was detected in ByteDance coze-studio up to 0.5.1. Affected by this vulnerability is the function ExecuteSQL of the file backend/domain/memory/database/service/database_impl.go of the component databaseTool. Performing a manipulation results in sql injection. The attack can be initiated remotely. The…

more

exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote SQL injection in application component directly enables T1190 Exploit Public-Facing Application for initial access and database manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2116Shared CWE-74, CWE-89
CVE-2025-15436Shared CWE-74, CWE-89
CVE-2026-6148Shared CWE-74, CWE-89
CVE-2026-3792Shared CWE-74, CWE-89
CVE-2026-9447Shared CWE-74, CWE-89
CVE-2026-6153Shared CWE-74, CWE-89
CVE-2025-0699Shared CWE-74, CWE-89
CVE-2025-7218Shared CWE-74, CWE-89
CVE-2026-5564Shared CWE-74, CWE-89
CVE-2026-7063Shared CWE-74, CWE-89

Affected Assets

coze
coze studio
≤ 0.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by requiring validation of all inputs to the vulnerable ExecuteSQL function in database_impl.go.

prevent

Mandates timely identification, reporting, and correction of the SQL injection flaw in the coze-studio databaseTool component.

detect

Enables detection of the SQL injection vulnerability through regular scanning of the affected coze-studio application.

References