| 标题 | openchatbi v0.2.1 SQL Injection |
|---|
| 描述 | OpenChatBI suffers from a critical Arbitrary SQL Run Vulnerability by prompt injection, including statements that can lead to remote code execution on the database server.
The vulnerability exists in the multi-stage Text2SQL workflow where user input is processed through several LLM-driven nodes (Agent, information extraction, schema linking, and SQL generation) before being executed against the database. An attacker can craft malicious prompts that manipulate each stage of the pipeline to inject arbitrary SQL commands.
The core issue is that the SQL generated by llm is executed directly without any validation or sanitization:
The attack flow works as follows:
1. **Agent Call tool Stage**: The attacker demand the Agent to call text2sql tool with specific context(prompt for following llm node)
2. **Information Extraction Stage**: The attacker's prompt manipulates the LLM to return attacker-controlled JSON output for the rewrite_question and keywords fields.
3. **Schema Linking Stage**: The manipulated prompt causes the LLM to return specified table selections.
we manipulate step2&3 to bypass the validation in step3 which check the tables that will be used are within the candidate tables searched by keywords generated by step2.
4. **SQL Generation Stage**: The prompt injection causes the LLM to generate malicious SQL that includes dangerous database-specific commands like PostgreSQL's `COPY FROM PROGRAM`, which can execute arbitrary system commands.
5. **SQL Execution Stage**: The malicious SQL is executed without any validation, allowing the attacker's commands to run on the database server. |
|---|
| 来源 | ⚠️ https://github.com/Ka7arotto/cve/blob/main/openchatbi-SQL/issue.md |
|---|
| 用户 | Goku (UID 80486) |
|---|
| 提交 | 2026-03-21 02時29分 (16 日前) |
|---|
| 管理 | 2026-04-04 23時42分 (15 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 355385 [zhongyu09 openchatbi 直到 0.2.1 Multi-stage Text2SQL Workflow keywords SQL注入] |
|---|
| 积分 | 20 |
|---|