CVE-2025-69285

High CVSS: 7.7

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV files and inject data directly into the PostgreSQL database. The endpoint is explicitly added to the authentication whitelist, causing the TokenMiddleware to bypass all token validation. Uploaded files are parsed by pandas and inserted into the database via to_sql() with if_exists='replace' mode. The vulnerability has been fixed in v1.5.0. No known workarounds are available.

Vendor

Fit2cloud

Product

Sqlbot

CWE

CWE-306

Yayın Tarihi

2026-01-21 21:16:07

Güncelleme

2026-02-02 13:57:50

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-306 Sqlbot HIGH Fit2cloud 2026

Referanslar

https://github.com/dataease/SQLBot/releases/tag/v1.5.0 https://github.com/dataease/SQLBot/security/advisories/GHSA-crfm-cch4-hjpv

Benzer Kayıtlar

High

CVE-2026-32949

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a Se…

High

CVE-2026-32950

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a cr…

High

CVE-2026-32622

SQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a S…

Medium

CVE-2026-31798

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts,…

Medium

CVE-2026-31864

JumpServer is an open source bastion host and an operation and maintenance security audit system. a Server-Side Template…

Medium

CVE-2025-15598

A vulnerability was found in Dataease SQLBot up to 1.5.1. This impacts the function validateEmbedded of the file backend…