Langroid CVE-2026-25879 — Prompt-to-SQL Injection Leads to RCE

2026-05-29 AI CVEs by al-ice.ai Editorial

AI relevance: Langroid's SQLChatAgent demonstrates a novel attack chain where natural-language prompt injection flows through LLM-generated SQL into database primitives that achieve remote code execution — a full prompt-to-execution pipeline.

CVE-2026-25879 affects langroid versions prior to 0.63.0, disclosed May 27, 2026.
The SQLChatAgent executes SQL statements generated directly by the LLM in response to user prompts.
An attacker who can shape the agent's input — directly or indirectly via data the LLM processes — can coerce SQL execution through the RunQueryTool.
When the agent connects to PostgreSQL with a role holding pg_execute_server_program, the attacker can inject COPY ... FROM PROGRAM to execute OS commands.
MySQL FILE privilege and MSSQL xp_cmdshell provide equivalent RCE paths on those databases.
The PoC demonstrates base64-encoded SQL injection embedded in a prompt that the LLM decodes and executes via the RunQueryTool.
Fixed in 0.63.0 by defaulting to a SELECT-only sqlglot-parsed statement allowlist with a dialect-aware dangerous-pattern blocklist.
The allow_dangerous_operations=True flag restores the previous unrestricted behavior for trusted deployments.

Why it matters

This is a complete end-to-end demonstration of prompt-to-RCE through an LLM agent's database tool. It shows that any agent executing LLM-generated SQL against a database with elevated privileges effectively grants remote code execution to anyone who can influence the agent's prompt context — including through indirect injection via poisoned documents or data.

What to do

Upgrade langroid to ≥ 0.63.0 immediately.
Audit any SQLChatAgent deployments for database roles with excessive privileges.
Never run database-backed agents with superuser roles; use restricted, read-only service accounts.
Review other LLM agent frameworks that pass model output directly to database execution engines.

Sources: