| Название | openchatbi v0.2.1 SQL Injection |
|---|
| Описание | OpenChatBI suffers from a critical Arbitrary SQL Run Vulnerability by prompt injection, including statements that can lead to remote code execution on the database server.
The vulnerability exists in the multi-stage Text2SQL workflow where user input is processed through several LLM-driven nodes (Agent, information extraction, schema linking, and SQL generation) before being executed against the database. An attacker can craft malicious prompts that manipulate each stage of the pipeline to inject arbitrary SQL commands.
The core issue is that the SQL generated by llm is executed directly without any validation or sanitization:
The attack flow works as follows:
1. **Agent Call tool Stage**: The attacker demand the Agent to call text2sql tool with specific context(prompt for following llm node)
2. **Information Extraction Stage**: The attacker's prompt manipulates the LLM to return attacker-controlled JSON output for the rewrite_question and keywords fields.
3. **Schema Linking Stage**: The manipulated prompt causes the LLM to return specified table selections.
we manipulate step2&3 to bypass the validation in step3 which check the tables that will be used are within the candidate tables searched by keywords generated by step2.
4. **SQL Generation Stage**: The prompt injection causes the LLM to generate malicious SQL that includes dangerous database-specific commands like PostgreSQL's `COPY FROM PROGRAM`, which can execute arbitrary system commands.
5. **SQL Execution Stage**: The malicious SQL is executed without any validation, allowing the attacker's commands to run on the database server. |
|---|
| Источник | ⚠️ https://github.com/Ka7arotto/cve/blob/main/openchatbi-SQL/issue.md |
|---|
| Пользователь | Goku (UID 80486) |
|---|
| Представление | 21.03.2026 02:29 (16 дни назад) |
|---|
| Модерация | 04.04.2026 23:42 (15 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 355385 [zhongyu09 openchatbi до 0.2.1 Multi-stage Text2SQL Workflow keywords SQL-инъекция] |
|---|
| Баллы | 20 |
|---|