langroid

CVE-2026-25879

CVE-2026-25879 is a critical-severity SQL injection vulnerability in langroid (pip), affecting versions < 0.63.0. It is fixed in 0.63.0.

Key facts
CVSS score
9.8
Critical
Attack vector
Network
Issuing authority
GitHub Advisory Database
Affected package
langroid
Fixed in
0.63.0
Disclosed
2026

Summary

Security Vulnerability Report: Prompt to SQL Injection leading to RCE in latest Langroid Affected Scope langroid < 0.63.0 Vulnerability Description SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When configured with a database role that has privileges enabling code execution or filesystem access (e.g., PostgreSQL pgexecuteserverprogram, MySQL FILE, MSSQL xpcmdshell), an attacker who can shape the agent's input, including indirectly via data returned to the LLM, can coerce execution of dialect-specific primitives such as COPY ... FROM PROGRAM, achieving RCE on the database host. Fixed in vX.Y by defaulting SQLChatAgent to a SELECT-only sqlglot-parsed statement allowlist with a dialect-aware dangerous-pattern blocklist; allowdangerousoperations=True restores the previous unrestricted behavior for trusted deployments. Reproduction & PoC This demo can be used to reproduce the vulnerability: The POC demonstrates successful command execution (id) through PostgreSQL's COPY FROM PROGRAM, proving remote code execution capability. <img width="2520" height="1287" alt="image" src="https://github.com/user-attachments/assets/25ede484-6ae4-4072-b912-17cf5919b429" /> Note that with different databases, various SQL can be used to exploit, resulting in RCE, and/or reading or writing arbitrary files on the server. Gadget llm choose to use run_query tool SQL generated by llm executed on server Security Impact This vulnerability allows attackers to achieve Remote Code Execution (RCE) on the database server with database user privileges. Attackers can: Execute arbitrary system commands via COPY FROM PROGRAM Exfiltrate sensitive data from the database Modify or delete critical database contents Pivot to further compromise the infrastructure Suggestion Implement SQL query whitelist validation, Parse and validate all LLM-generated SQL queries against a strict whitelist of allowed operations (SELECT, INSERT, UPDATE with safe patterns only). Block dangerous commands like COPY FROM PROGRAM, CREATE FUNCTION, and other DDL/administrative operations.

Impact

What is SQL injection?

Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access. Typical impact: data disclosure or modification.

Severity and exposure

CVE-2026-25879 has a CVSS score of 9.8 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.

A fixed version is available (0.63.0). Upgrading removes the vulnerable code path.

Affected versions

pip

  • langroid (< 0.63.0)

Security releases

  • langroid → 0.63.0 (pip)
Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.

Kodem's Application Detection and Response identifies whether CVE-2026-25879 is reachable in your applications. Explore runtime application protection for your team.

See if CVE-2026-25879 is reachable in your applications. Get a demo

Already deployed Kodem? See CVE-2026-25879 in your environment

Remediation advice

Upgrade langroid to 0.63.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently asked questions about CVE-2026-25879

What is CVE-2026-25879?

CVE-2026-25879 is a critical-severity SQL injection vulnerability in langroid (pip), affecting versions < 0.63.0. It is fixed in 0.63.0. Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access.

How severe is CVE-2026-25879?

CVE-2026-25879 has a CVSS score of 9.8 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.

Which versions of langroid are affected by CVE-2026-25879?

langroid (pip) versions < 0.63.0 is affected.

Is there a fix for CVE-2026-25879?

Yes. CVE-2026-25879 is fixed in 0.63.0. Upgrade to this version or later.

Is CVE-2026-25879 exploitable, and should I be worried?

Whether CVE-2026-25879 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo

What actually determines whether CVE-2026-25879 is exploitable, and how bad it is?

Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.

How do I fix CVE-2026-25879?

Upgrade langroid to 0.63.0 or later.

Stop the waste.
Protect your environment with Kodem.