ATR-2026-00570highData Poisoningexperimental
SQL injection in agent / MCP tool database query
An agent or MCP tool builds a SQL query from unvalidated input, letting an attacker (or prompt injection in retrieved content) inject a tautology, a UNION SELECT to read other tables, or a stacked DROP/DELETE. Generalizes a cluster of agent-app SQLi CVEs.
Severity
high
Category
Data Poisoning
Scan Target
runtime
Author
ATR Community
Response Actions
alert
References
OWASP Agentic
ASI06:2026 - Memory and Context Poisoning
OWASP LLM
LLM01:2025 - Prompt Injection
MITRE ATLAS
AML.T0051.001 - Indirect
Detection Conditions
Combinator: any- 01SQL boolean tautology (' OR '1'='1 / OR 1=1 --)field: contentop: regex
- 02UNION SELECT ... FROM to read arbitrary tablesfield: contentop: regex
- 03Stacked destructive query (; DROP/DELETE/TRUNCATE TABLE)field: contentop: regex
Attack Examples (Rule Triggers)
username=admin' OR '1'='1
id=1 UNION SELECT username,password FROM users
'; DROP TABLE users;--
?id=1 OR 1=1 --
Real-world attack payloads, sanitized and versioned alongside the rule as regression tests — so a future revision can't silently stop catching them.
Benign Examples (Rule Doesn't Trigger)
- benign 1
SELECT * FROM users WHERE id = ?
- benign 2
query = "SELECT name FROM products"
- benign 3
if (a == 1 || b == 1) return
- benign 4
page.union of selected items from list
Full YAML Definition
Edit on GitHub →title: SQL injection in agent / MCP tool database query
id: ATR-2026-00570
rule_version: 1
status: experimental
description: An agent or MCP tool builds a SQL query from unvalidated input, letting an attacker (or prompt injection in retrieved content) inject a tautology, a UNION SELECT to read other tables, or a stacked DROP/DELETE. Generalizes a cluster of agent-app SQLi CVEs.
author: ATR Community
date: 2026/06/02
schema_version: '0.1'
detection_tier: pattern
maturity: test
severity: high
references:
cve:
- CVE-2026-7591
- CVE-2026-4593
- CVE-2026-5322
- CVE-2026-30860
cwe:
- CWE-89
external:
- https://nvd.nist.gov/vuln/detail/CVE-2026-30860
owasp_llm:
- LLM01:2025 - Prompt Injection
owasp_agentic:
- ASI06:2026 - Memory and Context Poisoning
mitre_atlas:
- AML.T0051.001 - Indirect
metadata_provenance:
cve: human-authored
cwe: human-authored
compliance:
eu_ai_act:
- article: "10"
context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the data-poisoning attempt (SQL injection in agent / MCP tool database query) affecting that data."
strength: primary
- article: "15"
context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
strength: secondary
- article: "9"
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
strength: secondary
nist_ai_rmf:
- subcategory: "MS.2.5"
context: "NIST AI RMF MEASURE 2.5 (system validity and reliability demonstrated) is supported by this rule's detection of the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
strength: primary
- subcategory: "MS.2.7"
context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
strength: secondary
iso_42001:
- clause: "8.2"
context: "ISO/IEC 42001 Clause 8.2 (AI risk assessment) is informed by this rule, which detects the data-poisoning attempt (SQL injection in agent / MCP tool database query) as an assessed risk."
strength: primary
- clause: "8.1"
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
strength: secondary
tags:
category: data-poisoning
scan_target: runtime
confidence: high
agent_source:
type: llm_io
framework:
- any
provider:
- any
detection:
condition: any
false_positives: []
conditions:
- field: content
operator: regex
value: (?i)(?:'\s*or\s+'?1'?\s*=\s*'?1|\bor\s+1\s*=\s*1\b\s*(?:--|#|/\*|;|$))
description: SQL boolean tautology (' OR '1'='1 / OR 1=1 --)
- field: content
operator: regex
value: (?i)\bunion\s+(?:all\s+)?select\b.{0,120}\bfrom\b
description: UNION SELECT ... FROM to read arbitrary tables
- field: content
operator: regex
value: (?i);\s*(?:drop|delete|truncate)\s+(?:table|database)\b
description: Stacked destructive query (; DROP/DELETE/TRUNCATE TABLE)
response:
actions:
- alert
notify:
- security_team
test_cases:
true_positives:
- input: username=admin' OR '1'='1
expected: triggered
description: attack 1
- input: id=1 UNION SELECT username,password FROM users
expected: triggered
description: attack 2
- input: '''; DROP TABLE users;--'
expected: triggered
description: attack 3
- input: ?id=1 OR 1=1 --
expected: triggered
description: attack 4
true_negatives:
- input: SELECT * FROM users WHERE id = ?
expected: not_triggered
description: benign 1
- input: query = "SELECT name FROM products"
expected: not_triggered
description: benign 2
- input: if (a == 1 || b == 1) return
expected: not_triggered
description: benign 3
- input: page.union of selected items from list
expected: not_triggered
description: benign 4
More Data Poisoning Rules
ATR-2026-00070highData Poisoning via RAG and Knowledge Base ContaminationATR-2026-00450highSpring AI PromptChatMemoryAdvisor Memory Poisoning (CVE-2026-41713)ATR-2026-01155mediumDirect Memory Plant Command — Persistent Fact or Code Storage InjectionATR-2026-01774highRAG & Memory Poisoning — Embedded Directives, Trigger Tokens, False Authority & Coercion (Semantic)ATR-2026-02143highCypher/Graph-Query Injection via Unsanitized node_labels or group_ids Field