Back to search
CVE-2026-42463
Published: May 13, 2026
Modified: May 14, 2026
PUBLISHED
Description
SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. Prior to 1.8.0, SQLBot contains a Cross-Workspace IDOR (Insecure Direct Object Reference) and Authorization Bypass vulnerability in the /api/v1/datasource/exportDsSchema and /api/v1/datasource/uploadDsSchema endpoints. An attacker can access and modify database schemas and data sources belonging to other tenants/workspaces. This vulnerability is fixed in 1.8.0.
| Vendor | Product | Versions |
|---|---|---|
dataease | SQLBot | affected < 1.8.0 |
Weaknesses (CWE)
References
https://github.com/dataease/SQLBot/security/advisories/GHSA-pq2r-fj48-xfpp
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now