RCE in Dataease Sqlbot

CVE-2026-32622

SQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a Stored Prompt Injection vulnerability that chains three flaws: a missing permission check on the Excel upload API allowi…

Vulnerability class: Broken Access Control

EPSS: 0.004 (63.9th percentile) — read the EPSS interpretation.

Affected products

Dataease Sqlbot — versions < 1.6.0

Weakness classification (CWE)

References

https://github.com/dataease/SQLBot/security/advisories/GHSA-m7q7-vhw9-q7m3 (x_refsource_CONFIRM)
https://github.com/dataease/SQLBot/releases/tag/v1.6.0 (x_refsource_MISC)