Skip to content
ATR-2026-01987criticalTool Poisoningdraft

Langroid SQLChatAgent Prompt-to-SQL Remote Code Execution (CVE-2026-25879)

Detects CVE-2026-25879 (CWE-89, CWE-94): Langroid's SQLChatAgent executes SQL statements produced by the LLM, which is itself influenceable by prompt injection (including indirectly, via data later returned to the LLM). When the configured database role has code-execution or filesystem privileges, an attacker can coerce the LLM into emitting a dialect-specific dangerous primitive — PostgreSQL `COPY ... FROM PROGRAM` / `pg_execute_server_program`, MySQL `FILE` / `LOAD_FILE` / `INTO OUTFILE`, or MSSQL `xp_cmdshell` — which the agent then executes verbatim via RunQueryTool, achieving remote code execution or arbitrary file read/write on the database host. Affected: langroid before 0.63.0 (allow_dangerous_operations=True restores the unrestricted legacy behavior for trusted deployments). Detection covers: (a) LLM-generated SQL containing PostgreSQL COPY ... FROM PROGRAM or pg_execute_server_program; (b) MySQL LOAD_FILE / INTO OUTFILE / FILE-privilege file primitives; (c) MSSQL xp_cmdshell invocation; (d) explicit CVE-2026-25879 exploitation framing. The detection target is the dialect-specific RCE/filesystem primitive appearing in SQL that is about to be executed by the SQL agent — an ordinary SELECT/INSERT/UPDATE statement, or a benign COPY FROM a file path (not PROGRAM), does not fire.

Severity
critical
Category
Tool Poisoning
Scan Target
llm_io
Author
ATR Community

Response Actions

alertblock input

References

OWASP Agentic
ASI06:2026 - Tool Misuse
OWASP LLM
LLM01:2025 - Prompt Injection
MITRE ATLAS
AML.T0053 - LLM Plugin Compromise

Detection Conditions

Combinator: any
  1. 01
    PostgreSQL COPY ... FROM PROGRAM — executes an arbitrary OS command via the database server process, the core CVE-2026-25879 RCE PoC primitive (`COPY log(content) FROM PROGRAM 'id'`).
    field: contentop: regex
  2. 02
    PostgreSQL pg_execute_server_program primitive — equivalent server-side command execution vector named in the advisory.
    field: contentop: regex
  3. 03
    MSSQL xp_cmdshell — executes an arbitrary OS command via the database server process, the MSSQL-dialect RCE primitive named in the advisory.
    field: contentop: regex
  4. 04
    MySQL SELECT ... INTO OUTFILE — writes arbitrary files to the database host filesystem via a FILE-privileged connection, the MySQL-dialect filesystem write primitive named in the advisory.
    field: contentop: regex
  5. 05
    Explicit CVE-2026-25879 reference combined with Langroid prompt-to-SQL RCE language — attack framing in a skill or tool description.
    field: contentop: regex

Attack Examples (Rule Triggers)

  1. DROP TABLE IF EXISTS log; CREATE TABLE log(content text); COPY log(content) FROM PROGRAM 'id'; SELECT * FROM log;
  2. SELECT pg_execute_server_program('id')
  3. EXEC xp_cmdshell 'whoami'
  4. SELECT id, name FROM staff INTO OUTFILE '/var/www/html/shell.php'

Real-world attack payloads, sanitized and versioned alongside the rule as regression tests — so a future revision can't silently stop catching them.

Benign Examples (Rule Doesn't Trigger)

  1. Ordinary benign SELECT statement generated by the SQL agent
    SELECT * FROM users WHERE id = 42
  2. Benign COPY FROM a file path, not PROGRAM
    COPY log(content) FROM '/data/import.csv' WITH (FORMAT csv)
  3. Ordinary benign INSERT statement generated by the SQL agent
    INSERT INTO orders (customer_id, total) VALUES (7, 199.99)
  4. General question about SQLChatAgent, not an executable SQL payload
    How does Langroid's SQLChatAgent turn a natural-language question into SQL?

Known False Positive Contexts

  • A database administrator legitimately running COPY ... FROM PROGRAM or xp_cmdshell through a trusted, human-authored maintenance script — expected to match; review confirms intent.
  • Security advisory or PR text quoting the CVE-2026-25879 payload.
  • A benign SELECT, INSERT, or UPDATE statement generated by the SQL agent.
  • A benign COPY FROM a file path (not PROGRAM).

Full YAML Definition

Edit on GitHub →
title: "Langroid SQLChatAgent Prompt-to-SQL Remote Code Execution (CVE-2026-25879)"
id: ATR-2026-01987
rule_version: 1
status: draft
description: >
  Detects CVE-2026-25879 (CWE-89, CWE-94): Langroid's SQLChatAgent executes
  SQL statements produced by the LLM, which is itself influenceable by prompt
  injection (including indirectly, via data later returned to the LLM). When
  the configured database role has code-execution or filesystem privileges,
  an attacker can coerce the LLM into emitting a dialect-specific dangerous
  primitive — PostgreSQL `COPY ... FROM PROGRAM` / `pg_execute_server_program`,
  MySQL `FILE` / `LOAD_FILE` / `INTO OUTFILE`, or MSSQL `xp_cmdshell` — which
  the agent then executes verbatim via RunQueryTool, achieving remote code
  execution or arbitrary file read/write on the database host. Affected:
  langroid before 0.63.0 (allow_dangerous_operations=True restores the
  unrestricted legacy behavior for trusted deployments).

  Detection covers:
  (a) LLM-generated SQL containing PostgreSQL COPY ... FROM PROGRAM or
      pg_execute_server_program;
  (b) MySQL LOAD_FILE / INTO OUTFILE / FILE-privilege file primitives;
  (c) MSSQL xp_cmdshell invocation;
  (d) explicit CVE-2026-25879 exploitation framing.

  The detection target is the dialect-specific RCE/filesystem primitive
  appearing in SQL that is about to be executed by the SQL agent — an
  ordinary SELECT/INSERT/UPDATE statement, or a benign COPY FROM a file path
  (not PROGRAM), does not fire.
author: "ATR Community"
date: "2026/07/04"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical

references:
  owasp_llm:
    - "LLM01:2025 - Prompt Injection"
  owasp_agentic:
    - "ASI06:2026 - Tool Misuse"
  mitre_atlas:
    - "AML.T0053 - LLM Plugin Compromise"
  mitre_attack:
    - "T1059 - Command and Scripting Interpreter"
  cve:
    - "CVE-2026-25879"

metadata_provenance:
  mitre_atlas: human-reviewed
  owasp_llm: human-reviewed
  owasp_agentic: human-reviewed

compliance:
  eu_ai_act:
    - { article: "15", context: "Article 15 cybersecurity — runtime detection of Langroid SQLChatAgent prompt-to-SQL remote code execution.", strength: primary }
    - { article: "9",  context: "Article 9 risk management — runtime risk-treatment control for Langroid SQLChatAgent prompt-to-SQL remote code execution.", strength: secondary }
  nist_ai_rmf:
    - { subcategory: "MP.5.1", context: "MAP 5.1 — adversarial input characterised/detected for Langroid SQLChatAgent prompt-to-SQL remote code execution.", strength: primary }
    - { subcategory: "MG.3.2", context: "MANAGE 3.2 — runtime monitoring control for Langroid SQLChatAgent prompt-to-SQL remote code execution.", strength: secondary }
  iso_42001:
    - { clause: "8.1", context: "Clause 8.1 operational control — detection of Langroid SQLChatAgent prompt-to-SQL remote code execution payload.", strength: primary }
    - { clause: "8.3", context: "Clause 8.3 AI risk treatment — runtime detection as treatment control.", strength: secondary }

tags:
  category: tool-poisoning
  subcategory: llm-generated-sql-rce
  scan_target: llm_io
  confidence: high
  source: cve-disclosure
  vendor_sources: langroid-cve-2026-25879

agent_source:
  type: llm_io
  framework:
    - langroid
    - any
  provider:
    - any

detection:
  condition: any
  false_positives:
    - "A database administrator legitimately running COPY ... FROM PROGRAM or xp_cmdshell through a trusted, human-authored maintenance script — expected to match; review confirms intent."
    - "Security advisory or PR text quoting the CVE-2026-25879 payload."
    - "A benign SELECT, INSERT, or UPDATE statement generated by the SQL agent."
    - "A benign COPY FROM a file path (not PROGRAM)."
  conditions:
    - field: content
      operator: regex
      value: '(?i)\bCOPY\b[\s\S]{0,120}\bFROM\s+PROGRAM\b'
      description: >
        PostgreSQL COPY ... FROM PROGRAM — executes an arbitrary OS command
        via the database server process, the core CVE-2026-25879 RCE PoC
        primitive (`COPY log(content) FROM PROGRAM 'id'`).
    - field: content
      operator: regex
      value: '(?i)\bpg_execute_server_program\b'
      description: >
        PostgreSQL pg_execute_server_program primitive — equivalent
        server-side command execution vector named in the advisory.
    - field: content
      operator: regex
      value: '(?i)\bxp_cmdshell\b'
      description: >
        MSSQL xp_cmdshell — executes an arbitrary OS command via the
        database server process, the MSSQL-dialect RCE primitive named in
        the advisory.
    - field: content
      operator: regex
      value: '(?i)\bINTO\s+OUTFILE\b'
      description: >
        MySQL SELECT ... INTO OUTFILE — writes arbitrary files to the
        database host filesystem via a FILE-privileged connection, the
        MySQL-dialect filesystem write primitive named in the advisory.
    - field: content
      operator: regex
      value: '(?i)CVE-2026-25879[\s\S]{0,120}(?:langroid|sqlchatagent|prompt.{0,20}sql|rce|xp_cmdshell|from program)'
      description: >
        Explicit CVE-2026-25879 reference combined with Langroid
        prompt-to-SQL RCE language — attack framing in a skill or tool
        description.

response:
  actions:
    - alert
    - block_input
  message_template: >
    [ATR-2026-01987] CRITICAL: Langroid SQLChatAgent prompt-to-SQL remote
    code execution detected (CVE-2026-25879, CWE-89/CWE-94). LLM-generated
    SQL contains a dialect-specific RCE/filesystem primitive
    (COPY ... FROM PROGRAM / pg_execute_server_program / xp_cmdshell /
    INTO OUTFILE). Block execution and upgrade langroid to
    >= 0.63.0, or disable allow_dangerous_operations.

confidence: 85

wild_fp_rate: 0

test_cases:
  true_positives:
    - input: "DROP TABLE IF EXISTS log; CREATE TABLE log(content text); COPY log(content) FROM PROGRAM 'id'; SELECT * FROM log;"
      expected: triggered
      description: "PostgreSQL COPY FROM PROGRAM RCE payload from the CVE-2026-25879 PoC"
    - input: "SELECT pg_execute_server_program('id')"
      expected: triggered
      description: "PostgreSQL pg_execute_server_program RCE primitive"
    - input: "EXEC xp_cmdshell 'whoami'"
      expected: triggered
      description: "MSSQL xp_cmdshell RCE primitive"
    - input: "SELECT id, name FROM staff INTO OUTFILE '/var/www/html/shell.php'"
      expected: triggered
      description: "MySQL SELECT ... INTO OUTFILE filesystem-write primitive"
  true_negatives:
    - input: "SELECT * FROM users WHERE id = 42"
      expected: not_triggered
      description: "Ordinary benign SELECT statement generated by the SQL agent"
    - input: "COPY log(content) FROM '/data/import.csv' WITH (FORMAT csv)"
      expected: not_triggered
      description: "Benign COPY FROM a file path, not PROGRAM"
    - input: "INSERT INTO orders (customer_id, total) VALUES (7, 199.99)"
      expected: not_triggered
      description: "Ordinary benign INSERT statement generated by the SQL agent"
    - input: "How does Langroid's SQLChatAgent turn a natural-language question into SQL?"
      expected: not_triggered
      description: "General question about SQLChatAgent, not an executable SQL payload"

Revision History

Created
2026-07-04
Last modified
2026-07-05
View full commit history on GitHub →