Langroid SQLChatAgent Prompt-to-SQL Remote Code Execution (CVE-2026-25879)
Detects CVE-2026-25879 (CWE-89, CWE-94): Langroid's SQLChatAgent executes SQL statements produced by the LLM, which is itself influenceable by prompt injection (including indirectly, via data later returned to the LLM). When the configured database role has code-execution or filesystem privileges, an attacker can coerce the LLM into emitting a dialect-specific dangerous primitive — PostgreSQL `COPY ... FROM PROGRAM` / `pg_execute_server_program`, MySQL `FILE` / `LOAD_FILE` / `INTO OUTFILE`, or MSSQL `xp_cmdshell` — which the agent then executes verbatim via RunQueryTool, achieving remote code execution or arbitrary file read/write on the database host. Affected: langroid before 0.63.0 (allow_dangerous_operations=True restores the unrestricted legacy behavior for trusted deployments). Detection covers: (a) LLM-generated SQL containing PostgreSQL COPY ... FROM PROGRAM or pg_execute_server_program; (b) MySQL LOAD_FILE / INTO OUTFILE / FILE-privilege file primitives; (c) MSSQL xp_cmdshell invocation; (d) explicit CVE-2026-25879 exploitation framing. The detection target is the dialect-specific RCE/filesystem primitive appearing in SQL that is about to be executed by the SQL agent — an ordinary SELECT/INSERT/UPDATE statement, or a benign COPY FROM a file path (not PROGRAM), does not fire.
Response Actions
References
Detection Conditions
Combinator: any- 01PostgreSQL COPY ... FROM PROGRAM — executes an arbitrary OS command via the database server process, the core CVE-2026-25879 RCE PoC primitive (`COPY log(content) FROM PROGRAM 'id'`).field: contentop: regex
- 02PostgreSQL pg_execute_server_program primitive — equivalent server-side command execution vector named in the advisory.field: contentop: regex
- 03MSSQL xp_cmdshell — executes an arbitrary OS command via the database server process, the MSSQL-dialect RCE primitive named in the advisory.field: contentop: regex
- 04MySQL SELECT ... INTO OUTFILE — writes arbitrary files to the database host filesystem via a FILE-privileged connection, the MySQL-dialect filesystem write primitive named in the advisory.field: contentop: regex
- 05Explicit CVE-2026-25879 reference combined with Langroid prompt-to-SQL RCE language — attack framing in a skill or tool description.field: contentop: regex
Attack Examples (Rule Triggers)
DROP TABLE IF EXISTS log; CREATE TABLE log(content text); COPY log(content) FROM PROGRAM 'id'; SELECT * FROM log;
SELECT pg_execute_server_program('id')EXEC xp_cmdshell 'whoami'
SELECT id, name FROM staff INTO OUTFILE '/var/www/html/shell.php'
Real-world attack payloads, sanitized and versioned alongside the rule as regression tests — so a future revision can't silently stop catching them.
Benign Examples (Rule Doesn't Trigger)
- Ordinary benign SELECT statement generated by the SQL agent
SELECT * FROM users WHERE id = 42
- Benign COPY FROM a file path, not PROGRAM
COPY log(content) FROM '/data/import.csv' WITH (FORMAT csv)
- Ordinary benign INSERT statement generated by the SQL agent
INSERT INTO orders (customer_id, total) VALUES (7, 199.99)
- General question about SQLChatAgent, not an executable SQL payload
How does Langroid's SQLChatAgent turn a natural-language question into SQL?
Known False Positive Contexts
- ▸A database administrator legitimately running COPY ... FROM PROGRAM or xp_cmdshell through a trusted, human-authored maintenance script — expected to match; review confirms intent.
- ▸Security advisory or PR text quoting the CVE-2026-25879 payload.
- ▸A benign SELECT, INSERT, or UPDATE statement generated by the SQL agent.
- ▸A benign COPY FROM a file path (not PROGRAM).
Full YAML Definition
Edit on GitHub →title: "Langroid SQLChatAgent Prompt-to-SQL Remote Code Execution (CVE-2026-25879)"
id: ATR-2026-01987
rule_version: 1
status: draft
description: >
Detects CVE-2026-25879 (CWE-89, CWE-94): Langroid's SQLChatAgent executes
SQL statements produced by the LLM, which is itself influenceable by prompt
injection (including indirectly, via data later returned to the LLM). When
the configured database role has code-execution or filesystem privileges,
an attacker can coerce the LLM into emitting a dialect-specific dangerous
primitive — PostgreSQL `COPY ... FROM PROGRAM` / `pg_execute_server_program`,
MySQL `FILE` / `LOAD_FILE` / `INTO OUTFILE`, or MSSQL `xp_cmdshell` — which
the agent then executes verbatim via RunQueryTool, achieving remote code
execution or arbitrary file read/write on the database host. Affected:
langroid before 0.63.0 (allow_dangerous_operations=True restores the
unrestricted legacy behavior for trusted deployments).
Detection covers:
(a) LLM-generated SQL containing PostgreSQL COPY ... FROM PROGRAM or
pg_execute_server_program;
(b) MySQL LOAD_FILE / INTO OUTFILE / FILE-privilege file primitives;
(c) MSSQL xp_cmdshell invocation;
(d) explicit CVE-2026-25879 exploitation framing.
The detection target is the dialect-specific RCE/filesystem primitive
appearing in SQL that is about to be executed by the SQL agent — an
ordinary SELECT/INSERT/UPDATE statement, or a benign COPY FROM a file path
(not PROGRAM), does not fire.
author: "ATR Community"
date: "2026/07/04"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical
references:
owasp_llm:
- "LLM01:2025 - Prompt Injection"
owasp_agentic:
- "ASI06:2026 - Tool Misuse"
mitre_atlas:
- "AML.T0053 - LLM Plugin Compromise"
mitre_attack:
- "T1059 - Command and Scripting Interpreter"
cve:
- "CVE-2026-25879"
metadata_provenance:
mitre_atlas: human-reviewed
owasp_llm: human-reviewed
owasp_agentic: human-reviewed
compliance:
eu_ai_act:
- { article: "15", context: "Article 15 cybersecurity — runtime detection of Langroid SQLChatAgent prompt-to-SQL remote code execution.", strength: primary }
- { article: "9", context: "Article 9 risk management — runtime risk-treatment control for Langroid SQLChatAgent prompt-to-SQL remote code execution.", strength: secondary }
nist_ai_rmf:
- { subcategory: "MP.5.1", context: "MAP 5.1 — adversarial input characterised/detected for Langroid SQLChatAgent prompt-to-SQL remote code execution.", strength: primary }
- { subcategory: "MG.3.2", context: "MANAGE 3.2 — runtime monitoring control for Langroid SQLChatAgent prompt-to-SQL remote code execution.", strength: secondary }
iso_42001:
- { clause: "8.1", context: "Clause 8.1 operational control — detection of Langroid SQLChatAgent prompt-to-SQL remote code execution payload.", strength: primary }
- { clause: "8.3", context: "Clause 8.3 AI risk treatment — runtime detection as treatment control.", strength: secondary }
tags:
category: tool-poisoning
subcategory: llm-generated-sql-rce
scan_target: llm_io
confidence: high
source: cve-disclosure
vendor_sources: langroid-cve-2026-25879
agent_source:
type: llm_io
framework:
- langroid
- any
provider:
- any
detection:
condition: any
false_positives:
- "A database administrator legitimately running COPY ... FROM PROGRAM or xp_cmdshell through a trusted, human-authored maintenance script — expected to match; review confirms intent."
- "Security advisory or PR text quoting the CVE-2026-25879 payload."
- "A benign SELECT, INSERT, or UPDATE statement generated by the SQL agent."
- "A benign COPY FROM a file path (not PROGRAM)."
conditions:
- field: content
operator: regex
value: '(?i)\bCOPY\b[\s\S]{0,120}\bFROM\s+PROGRAM\b'
description: >
PostgreSQL COPY ... FROM PROGRAM — executes an arbitrary OS command
via the database server process, the core CVE-2026-25879 RCE PoC
primitive (`COPY log(content) FROM PROGRAM 'id'`).
- field: content
operator: regex
value: '(?i)\bpg_execute_server_program\b'
description: >
PostgreSQL pg_execute_server_program primitive — equivalent
server-side command execution vector named in the advisory.
- field: content
operator: regex
value: '(?i)\bxp_cmdshell\b'
description: >
MSSQL xp_cmdshell — executes an arbitrary OS command via the
database server process, the MSSQL-dialect RCE primitive named in
the advisory.
- field: content
operator: regex
value: '(?i)\bINTO\s+OUTFILE\b'
description: >
MySQL SELECT ... INTO OUTFILE — writes arbitrary files to the
database host filesystem via a FILE-privileged connection, the
MySQL-dialect filesystem write primitive named in the advisory.
- field: content
operator: regex
value: '(?i)CVE-2026-25879[\s\S]{0,120}(?:langroid|sqlchatagent|prompt.{0,20}sql|rce|xp_cmdshell|from program)'
description: >
Explicit CVE-2026-25879 reference combined with Langroid
prompt-to-SQL RCE language — attack framing in a skill or tool
description.
response:
actions:
- alert
- block_input
message_template: >
[ATR-2026-01987] CRITICAL: Langroid SQLChatAgent prompt-to-SQL remote
code execution detected (CVE-2026-25879, CWE-89/CWE-94). LLM-generated
SQL contains a dialect-specific RCE/filesystem primitive
(COPY ... FROM PROGRAM / pg_execute_server_program / xp_cmdshell /
INTO OUTFILE). Block execution and upgrade langroid to
>= 0.63.0, or disable allow_dangerous_operations.
confidence: 85
wild_fp_rate: 0
test_cases:
true_positives:
- input: "DROP TABLE IF EXISTS log; CREATE TABLE log(content text); COPY log(content) FROM PROGRAM 'id'; SELECT * FROM log;"
expected: triggered
description: "PostgreSQL COPY FROM PROGRAM RCE payload from the CVE-2026-25879 PoC"
- input: "SELECT pg_execute_server_program('id')"
expected: triggered
description: "PostgreSQL pg_execute_server_program RCE primitive"
- input: "EXEC xp_cmdshell 'whoami'"
expected: triggered
description: "MSSQL xp_cmdshell RCE primitive"
- input: "SELECT id, name FROM staff INTO OUTFILE '/var/www/html/shell.php'"
expected: triggered
description: "MySQL SELECT ... INTO OUTFILE filesystem-write primitive"
true_negatives:
- input: "SELECT * FROM users WHERE id = 42"
expected: not_triggered
description: "Ordinary benign SELECT statement generated by the SQL agent"
- input: "COPY log(content) FROM '/data/import.csv' WITH (FORMAT csv)"
expected: not_triggered
description: "Benign COPY FROM a file path, not PROGRAM"
- input: "INSERT INTO orders (customer_id, total) VALUES (7, 199.99)"
expected: not_triggered
description: "Ordinary benign INSERT statement generated by the SQL agent"
- input: "How does Langroid's SQLChatAgent turn a natural-language question into SQL?"
expected: not_triggered
description: "General question about SQLChatAgent, not an executable SQL payload"