CVE-2026-32949

Name of the Vulnerable Software and Affected Versions SQLBot versions prior to 1.7.0

Description SQLBot is a data query system utilizing a large language model and RAG. Versions prior to 1.7.0 contain a Server-Side Request Forgery (SSRF) issue that allows an attacker to retrieve arbitrary system and application files from the server. An attacker can exploit the /api/v1/datasource/check endpoint by configuring a forged MySQL data source with a malicious parameter extraJdbc='local infile=1'. When the SQLBot backend attempts to verify the connectivity of this data source, an attacker-controlled MySQL server issues a malicious LOAD DATA LOCAL INFILE command during the MySQL handshake. This forces the target server to read arbitrary files from its local filesystem and transmit the contents back to the attacker.

Recommendations Update SQLBot to version 1.7.0 or later.