SQL Injection Vulnerability in SQLBot by DataEase
CVE-2026-32950

8.6HIGH

Key Information:

Vendor

Dataease

Status
Sqlbot
Vendor
CVE Published:
20 March 2026

What is CVE-2026-32950?

SQLBot, an intelligent data query system developed by DataEase, has a significant SQL Injection vulnerability present in versions before 1.7.0. This flaw allows authenticated users to execute remote commands on the backend server without necessary privileges. The vulnerability stems from unsanitized concatenation of Excel Sheet names into PostgreSQL table names and flawed embedding of these names into SQL statements. Attackers can exploit this by uploading crafted files to bypass limitations and insert malicious commands into the SQL execution context, leading to potential database takeover and exposure of sensitive files. It is crucial for users to update to version 1.7.0 or later to mitigate this risk.

Affected Version(s)

SQLBot < 1.7.0

References

https://github.com/dataease/SQLBot/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/dataease/SQLBot/commit/39f2203cec4bb4b...
x_refsource_MISC
https://github.com/dataease/SQLBot/releases/tag/v1.7.0
x_refsource_MISC

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.