CVE-2026-25879: Langroid SQLChatAgent RCE Vulnerability

CVE-2026-25879 Overview

CVE-2026-25879 is a critical SQL injection and remote code execution vulnerability in Langroid, a framework for building large-language-model-powered applications. The flaw exists in SQLChatAgent, which executes SQL statements generated by a large language model (LLM) without statement-level restrictions. Attackers who influence the agent's input, including indirectly through data returned to the LLM, can trigger prompt injection that coerces the agent into executing dialect-specific primitives. When the database role holds privileges such as PostgreSQL pg_execute_server_program, MySQL FILE, or MSSQL xp_cmdshell, this produces remote code execution on the database host. The issue is fixed in Langroid version 0.63.0.

Critical Impact
Prompt injection against SQLChatAgent enables remote code execution on the database host through primitives like COPY ... FROM PROGRAM.

Affected Products

Langroid versions prior to 0.63.0
Deployments using SQLChatAgent with privileged database roles
Environments connecting to PostgreSQL, MySQL, or MSSQL with code execution or filesystem privileges

Discovery Timeline

2026-06-01 - CVE-2026-25879 published to NVD
2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-25879

Vulnerability Analysis

Langroid's SQLChatAgent accepts natural language input, asks an LLM to produce SQL, and then executes that SQL against the configured database. Prior to version 0.63.0, the agent did not constrain the statement category or filter dialect-specific dangerous constructs. Any text reaching the LLM, including untrusted rows returned from prior queries, can carry injected instructions. The framework defers trust to the model's output and forwards the resulting SQL to the database driver. Because the agent is iterative, indirect prompt injection through query results is sufficient to influence subsequent statements [CWE-89].

Root Cause

The root cause is unrestricted SQL execution combined with reliance on LLM output as a security boundary. The agent treated model-generated SQL as trusted and forwarded it without parsing, classifying, or allow-listing statement types. No dialect-aware blocklist filtered constructs that escape the SQL layer into the operating system. When paired with a database role granting code execution or filesystem privileges, the design collapses the boundary between query execution and host execution.

Attack Vector

An attacker supplies input that the LLM incorporates into a SQL statement, either directly through chat input or indirectly through database content read back to the model. The injected SQL targets dialect-specific primitives that reach the host. On PostgreSQL, COPY ... FROM PROGRAM runs arbitrary shell commands when the role holds pg_execute_server_program. On MySQL, the FILE privilege enables read and write of files on the server. On MSSQL, xp_cmdshell executes operating system commands when enabled. The attack requires no authentication to the network service hosting the agent if it is exposed without access controls. The vulnerability is tracked under [CWE-89] and described in the GitHub Security Advisory.

Detection Methods for CVE-2026-25879

Indicators of Compromise

Database logs containing COPY ... FROM PROGRAM, xp_cmdshell, SELECT ... INTO OUTFILE, or LOAD_FILE invocations originating from application sessions
Unexpected child processes spawned by the database server such as postgres forking sh, bash, or cmd.exe
New or modified files written by the database service account outside standard data directories
Outbound network connections initiated by the database process to attacker-controlled infrastructure

Detection Strategies

Enable statement logging on PostgreSQL, MySQL, and MSSQL and alert on dialect-specific dangerous primitives
Correlate LLM agent query logs with database statements to identify model-generated SQL that deviates from SELECT patterns
Monitor for process lineage anomalies where the database server parents shell or scripting interpreters

Monitoring Recommendations

Audit database role grants for pg_execute_server_program, FILE, and xp_cmdshell permissions on accounts used by Langroid
Track Langroid version inventory across deployments and flag instances below 0.63.0
Inspect data sources feeding SQLChatAgent for untrusted content that could carry indirect prompt injection payloads

How to Mitigate CVE-2026-25879

Immediate Actions Required

Upgrade Langroid to version 0.63.0 or later, which enforces a SELECT-only sqlglot-parsed statement allowlist by default
Revoke pg_execute_server_program, FILE, and xp_cmdshell privileges from any database role used by SQLChatAgent
Audit existing deployments for the allow_dangerous_operations=True setting and remove it unless the deployment is fully trusted
Restrict network exposure of Langroid agent endpoints to authenticated clients only

Patch Information

The fix is shipped in Langroid v0.63.0. The release defaults SQLChatAgent to a SELECT-only allowlist parsed with sqlglot and applies a dialect-aware blocklist that rejects dangerous patterns. The legacy unrestricted behavior is gated behind allow_dangerous_operations=True for trusted deployments. Details are documented in the GitHub Security Advisory.

Workarounds

Configure the database connection with a least-privilege role limited to read-only access on required schemas
Disable xp_cmdshell on MSSQL and remove the FILE privilege on MySQL accounts used by the agent
Place the database server in a network segment that blocks outbound connections to untrusted destinations
Sanitize or isolate untrusted data sources before they are returned to the LLM to reduce indirect prompt injection risk

bash

# Configuration example: upgrade Langroid and verify least-privilege database role
pip install --upgrade 'langroid>=0.63.0'

# PostgreSQL: revoke dangerous privileges from the application role
REVOKE pg_execute_server_program FROM langroid_app;
ALTER ROLE langroid_app NOSUPERUSER;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO langroid_app;