HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-25879Published Modified CNA GitHub_M

CVE-2026-25879: Langroid has Prompt to SQL Injection, Leading to RCE

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When configured with a database role that has privileges enabling code execution or filesystem access (e.g., PostgreSQL pg_execute_server_program, MySQL FILE, MSSQL xp_cmdshell), an attacker who can shape the agent's input — including indirectly via data returned to the LLM — can coerce execution of dialect-specific primitives such as `COPY ... FROM PROGRAM`, achieving RCE on the database host. Fixed in v0.63.0 by defaulting SQLChatAgent to a SELECT-only sqlglot-parsed statement allowlist with a dialect-aware dangerous-pattern blocklist; allow_dangerous_operations=True restores the previous unrestricted behavior for trusted deployments.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a prompt-injection-to-SQL-injection vulnerability in Langroid, a Python framework for building LLM-powered applications. The flaw is reachable over the network with no authentication required: any attacker who can influence the text fed into a SQLChatAgent instance, including indirectly through data the LLM retrieves from a database, can craft input that causes the agent to generate and execute malicious SQL. When the configured database role holds elevated privileges (such as PostgreSQL pg_execute_server_program, MySQL FILE, or MSSQL xp_cmdshell), exploitation results in remote code execution on the database host. No fix version has been published upstream; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as a fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Langroid as a dependency. Any image shipping langroid versions below 0.63.0 is flagged automatically in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the published CVSS v3.1 vector and weights findings against each environment's compliance policy to prioritize routing. Alerts are dispatched to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available at the fix version the moment upstream ships one. In the interim, customers can apply compensating controls through HarborGuard policy rules, such as network-policy isolation for containers running SQLChatAgent and egress filtering to restrict database-host reachability.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable SQLChatAgent is exposed over the network, so an attacker must be able to reach the service or influence its input stream remotely.

  • AuthenticationNot required

    No credentials are needed; any party who can supply or influence the agent's input, including via poisoned data returned from a database query, can trigger the injection.

  • Victim interactionNot required

    The vulnerability is exercised entirely within the automated LLM-to-SQL pipeline with no human action required.

  • Attack complexityDetail

    Attack complexity is low: exploitation is reliable and condition-free once the attacker can shape agent input, requiring no race conditions or special environmental setup.

Blast Radius

  • Reads any file or database content accessible to the database process user, including stored credentials, secrets, and application data.
  • Writes or overwrites files on the database host filesystem if the database role has write privileges.
  • Executes arbitrary operating system commands on the database host via dialect-specific primitives such as COPY ... FROM PROGRAM or xp_cmdshell.
  • Crashes or permanently disrupts the database service by terminating processes or corrupting on-disk data structures.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for this CVE yet, HarborGuard continuously re-checks the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment Langroid publishes a fix. Until then, customers can reduce exposure by applying compensating controls: use HarborGuard network policies to isolate containers running SQLChatAgent from direct internet ingress, restrict egress from those containers to only known database endpoints, and consider feature-flag gating to disable SQLChatAgent functionality in images deployed to public-facing environments. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be made available immediately upon upstream patch publication, with a median time from CVE fix publication to merged patch PR of around 90 minutes for critical-severity issues in environments with auto-remediation enabled.

See how HarborGuard automates this
Affected packages
  • langroid / langroid
    < 0.63.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References