Skip to content
ATR-2026-01987critical工具下毒draft

Langroid SQLChatAgent Prompt-to-SQL Remote Code Execution (CVE-2026-25879)

Detects CVE-2026-25879 (CWE-89, CWE-94): Langroid's SQLChatAgent executes SQL statements produced by the LLM, which is itself influenceable by prompt injection (including indirectly, via data later returned to the LLM). When the configured database role has code-execution or filesystem privileges, an attacker can coerce the LLM into emitting a dialect-specific dangerous primitive — PostgreSQL `COPY ... FROM PROGRAM` / `pg_execute_server_program`, MySQL `FILE` / `LOAD_FILE` / `INTO OUTFILE`, or MSSQL `xp_cmdshell` — which the agent then executes verbatim via RunQueryTool, achieving remote code execution or arbitrary file read/write on the database host. Affected: langroid before 0.63.0 (allow_dangerous_operations=True restores the unrestricted legacy behavior for trusted deployments). Detection covers: (a) LLM-generated SQL containing PostgreSQL COPY ... FROM PROGRAM or pg_execute_server_program; (b) MySQL LOAD_FILE / INTO OUTFILE / FILE-privilege file primitives; (c) MSSQL xp_cmdshell invocation; (d) explicit CVE-2026-25879 exploitation framing. The detection target is the dialect-specific RCE/filesystem primitive appearing in SQL that is about to be executed by the SQL agent — an ordinary SELECT/INSERT/UPDATE statement, or a benign COPY FROM a file path (not PROGRAM), does not fire.

嚴重度
critical
類別
工具下毒
掃描目標
llm_io
作者
ATR Community

建議回應

alertblock input

參考資料

OWASP Agentic
ASI06:2026 - Tool Misuse
OWASP LLM
LLM01:2025 - Prompt Injection
MITRE ATLAS
AML.T0053 - LLM Plugin Compromise

偵測條件

組合方式: any
  1. 01
    PostgreSQL COPY ... FROM PROGRAM — executes an arbitrary OS command via the database server process, the core CVE-2026-25879 RCE PoC primitive (`COPY log(content) FROM PROGRAM 'id'`).
    欄位: content運算子: regex
  2. 02
    PostgreSQL pg_execute_server_program primitive — equivalent server-side command execution vector named in the advisory.
    欄位: content運算子: regex
  3. 03
    MSSQL xp_cmdshell — executes an arbitrary OS command via the database server process, the MSSQL-dialect RCE primitive named in the advisory.
    欄位: content運算子: regex
  4. 04
    MySQL SELECT ... INTO OUTFILE — writes arbitrary files to the database host filesystem via a FILE-privileged connection, the MySQL-dialect filesystem write primitive named in the advisory.
    欄位: content運算子: regex
  5. 05
    Explicit CVE-2026-25879 reference combined with Langroid prompt-to-SQL RCE language — attack framing in a skill or tool description.
    欄位: content運算子: regex

攻擊範例(規則會觸發)

  1. DROP TABLE IF EXISTS log; CREATE TABLE log(content text); COPY log(content) FROM PROGRAM 'id'; SELECT * FROM log;
  2. SELECT pg_execute_server_program('id')
  3. EXEC xp_cmdshell 'whoami'
  4. SELECT id, name FROM staff INTO OUTFILE '/var/www/html/shell.php'

以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。

正常樣本(規則不會觸發)

  1. Ordinary benign SELECT statement generated by the SQL agent
    SELECT * FROM users WHERE id = 42
  2. Benign COPY FROM a file path, not PROGRAM
    COPY log(content) FROM '/data/import.csv' WITH (FORMAT csv)
  3. Ordinary benign INSERT statement generated by the SQL agent
    INSERT INTO orders (customer_id, total) VALUES (7, 199.99)
  4. General question about SQLChatAgent, not an executable SQL payload
    How does Langroid's SQLChatAgent turn a natural-language question into SQL?

已知誤報情境

  • A database administrator legitimately running COPY ... FROM PROGRAM or xp_cmdshell through a trusted, human-authored maintenance script — expected to match; review confirms intent.
  • Security advisory or PR text quoting the CVE-2026-25879 payload.
  • A benign SELECT, INSERT, or UPDATE statement generated by the SQL agent.
  • A benign COPY FROM a file path (not PROGRAM).

完整 YAML 定義

在 GitHub 編輯 →
title: "Langroid SQLChatAgent Prompt-to-SQL Remote Code Execution (CVE-2026-25879)"
id: ATR-2026-01987
rule_version: 1
status: draft
description: >
  Detects CVE-2026-25879 (CWE-89, CWE-94): Langroid's SQLChatAgent executes
  SQL statements produced by the LLM, which is itself influenceable by prompt
  injection (including indirectly, via data later returned to the LLM). When
  the configured database role has code-execution or filesystem privileges,
  an attacker can coerce the LLM into emitting a dialect-specific dangerous
  primitive — PostgreSQL `COPY ... FROM PROGRAM` / `pg_execute_server_program`,
  MySQL `FILE` / `LOAD_FILE` / `INTO OUTFILE`, or MSSQL `xp_cmdshell` — which
  the agent then executes verbatim via RunQueryTool, achieving remote code
  execution or arbitrary file read/write on the database host. Affected:
  langroid before 0.63.0 (allow_dangerous_operations=True restores the
  unrestricted legacy behavior for trusted deployments).

  Detection covers:
  (a) LLM-generated SQL containing PostgreSQL COPY ... FROM PROGRAM or
      pg_execute_server_program;
  (b) MySQL LOAD_FILE / INTO OUTFILE / FILE-privilege file primitives;
  (c) MSSQL xp_cmdshell invocation;
  (d) explicit CVE-2026-25879 exploitation framing.

  The detection target is the dialect-specific RCE/filesystem primitive
  appearing in SQL that is about to be executed by the SQL agent — an
  ordinary SELECT/INSERT/UPDATE statement, or a benign COPY FROM a file path
  (not PROGRAM), does not fire.
author: "ATR Community"
date: "2026/07/04"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical

references:
  owasp_llm:
    - "LLM01:2025 - Prompt Injection"
  owasp_agentic:
    - "ASI06:2026 - Tool Misuse"
  mitre_atlas:
    - "AML.T0053 - LLM Plugin Compromise"
  mitre_attack:
    - "T1059 - Command and Scripting Interpreter"
  cve:
    - "CVE-2026-25879"

metadata_provenance:
  mitre_atlas: human-reviewed
  owasp_llm: human-reviewed
  owasp_agentic: human-reviewed

compliance:
  eu_ai_act:
    - { article: "15", context: "Article 15 cybersecurity — runtime detection of Langroid SQLChatAgent prompt-to-SQL remote code execution.", strength: primary }
    - { article: "9",  context: "Article 9 risk management — runtime risk-treatment control for Langroid SQLChatAgent prompt-to-SQL remote code execution.", strength: secondary }
  nist_ai_rmf:
    - { subcategory: "MP.5.1", context: "MAP 5.1 — adversarial input characterised/detected for Langroid SQLChatAgent prompt-to-SQL remote code execution.", strength: primary }
    - { subcategory: "MG.3.2", context: "MANAGE 3.2 — runtime monitoring control for Langroid SQLChatAgent prompt-to-SQL remote code execution.", strength: secondary }
  iso_42001:
    - { clause: "8.1", context: "Clause 8.1 operational control — detection of Langroid SQLChatAgent prompt-to-SQL remote code execution payload.", strength: primary }
    - { clause: "8.3", context: "Clause 8.3 AI risk treatment — runtime detection as treatment control.", strength: secondary }

tags:
  category: tool-poisoning
  subcategory: llm-generated-sql-rce
  scan_target: llm_io
  confidence: high
  source: cve-disclosure
  vendor_sources: langroid-cve-2026-25879

agent_source:
  type: llm_io
  framework:
    - langroid
    - any
  provider:
    - any

detection:
  condition: any
  false_positives:
    - "A database administrator legitimately running COPY ... FROM PROGRAM or xp_cmdshell through a trusted, human-authored maintenance script — expected to match; review confirms intent."
    - "Security advisory or PR text quoting the CVE-2026-25879 payload."
    - "A benign SELECT, INSERT, or UPDATE statement generated by the SQL agent."
    - "A benign COPY FROM a file path (not PROGRAM)."
  conditions:
    - field: content
      operator: regex
      value: '(?i)\bCOPY\b[\s\S]{0,120}\bFROM\s+PROGRAM\b'
      description: >
        PostgreSQL COPY ... FROM PROGRAM — executes an arbitrary OS command
        via the database server process, the core CVE-2026-25879 RCE PoC
        primitive (`COPY log(content) FROM PROGRAM 'id'`).
    - field: content
      operator: regex
      value: '(?i)\bpg_execute_server_program\b'
      description: >
        PostgreSQL pg_execute_server_program primitive — equivalent
        server-side command execution vector named in the advisory.
    - field: content
      operator: regex
      value: '(?i)\bxp_cmdshell\b'
      description: >
        MSSQL xp_cmdshell — executes an arbitrary OS command via the
        database server process, the MSSQL-dialect RCE primitive named in
        the advisory.
    - field: content
      operator: regex
      value: '(?i)\bINTO\s+OUTFILE\b'
      description: >
        MySQL SELECT ... INTO OUTFILE — writes arbitrary files to the
        database host filesystem via a FILE-privileged connection, the
        MySQL-dialect filesystem write primitive named in the advisory.
    - field: content
      operator: regex
      value: '(?i)CVE-2026-25879[\s\S]{0,120}(?:langroid|sqlchatagent|prompt.{0,20}sql|rce|xp_cmdshell|from program)'
      description: >
        Explicit CVE-2026-25879 reference combined with Langroid
        prompt-to-SQL RCE language — attack framing in a skill or tool
        description.

response:
  actions:
    - alert
    - block_input
  message_template: >
    [ATR-2026-01987] CRITICAL: Langroid SQLChatAgent prompt-to-SQL remote
    code execution detected (CVE-2026-25879, CWE-89/CWE-94). LLM-generated
    SQL contains a dialect-specific RCE/filesystem primitive
    (COPY ... FROM PROGRAM / pg_execute_server_program / xp_cmdshell /
    INTO OUTFILE). Block execution and upgrade langroid to
    >= 0.63.0, or disable allow_dangerous_operations.

confidence: 85

wild_fp_rate: 0

test_cases:
  true_positives:
    - input: "DROP TABLE IF EXISTS log; CREATE TABLE log(content text); COPY log(content) FROM PROGRAM 'id'; SELECT * FROM log;"
      expected: triggered
      description: "PostgreSQL COPY FROM PROGRAM RCE payload from the CVE-2026-25879 PoC"
    - input: "SELECT pg_execute_server_program('id')"
      expected: triggered
      description: "PostgreSQL pg_execute_server_program RCE primitive"
    - input: "EXEC xp_cmdshell 'whoami'"
      expected: triggered
      description: "MSSQL xp_cmdshell RCE primitive"
    - input: "SELECT id, name FROM staff INTO OUTFILE '/var/www/html/shell.php'"
      expected: triggered
      description: "MySQL SELECT ... INTO OUTFILE filesystem-write primitive"
  true_negatives:
    - input: "SELECT * FROM users WHERE id = 42"
      expected: not_triggered
      description: "Ordinary benign SELECT statement generated by the SQL agent"
    - input: "COPY log(content) FROM '/data/import.csv' WITH (FORMAT csv)"
      expected: not_triggered
      description: "Benign COPY FROM a file path, not PROGRAM"
    - input: "INSERT INTO orders (customer_id, total) VALUES (7, 199.99)"
      expected: not_triggered
      description: "Ordinary benign INSERT statement generated by the SQL agent"
    - input: "How does Langroid's SQLChatAgent turn a natural-language question into SQL?"
      expected: not_triggered
      description: "General question about SQLChatAgent, not an executable SQL payload"

修訂歷史

建立於
2026-07-04
最後修改
2026-07-05
在 GitHub 查看完整 commit 歷史 →