{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-50180","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-06-03T22:05:13.644Z","datePublished":"2026-07-09T23:42:52.853Z","dateUpdated":"2026-07-10T20:59:17.652Z"},"containers":{"cna":{"title":"Langroid: SQLChatAgent _validate_query blocklist misses pg_read_file family enabling arbitrary file read","problemTypes":[{"descriptions":[{"cweId":"CWE-22","lang":"en","description":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-89","lang":"en","description":"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":8.7,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/langroid/langroid/security/advisories/GHSA-pmch-g965-grmr","tags":["x_refsource_CONFIRM"],"url":"https://github.com/langroid/langroid/security/advisories/GHSA-pmch-g965-grmr"},{"name":"https://github.com/langroid/langroid/commit/00b7dd7b79c5d03c94be284cf3459d98195ebfba","tags":["x_refsource_MISC"],"url":"https://github.com/langroid/langroid/commit/00b7dd7b79c5d03c94be284cf3459d98195ebfba"}],"affected":[{"vendor":"langroid","product":"langroid","versions":[{"version":"< 0.64.0","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-07-09T23:42:52.853Z"},"descriptions":[{"lang":"en","value":"Langroid is a framework for building large-language-model-powered applications. Prior to version 0.64.0, `SQLChatAgent` in `langroid` ships a `_validate_query` defense-in-depth layer whose `_DANGEROUS_SQL_PATTERNS` regex blocklist enumerates dangerous SQL primitives by specific function name. The list misses the canonical PostgreSQL filesystem-disclosure family `pg_read_file()`, `pg_stat_file()`, `pg_ls_logdir()`, `pg_ls_waldir()`, `pg_current_logfile()` (and similar `SELECT`-shaped functions in the same family). It also leaves SQL Server `OPENDATASOURCE` and SQLite `ATTACH '<file>' AS x` (DATABASE keyword omitted) unblocked. An attacker able to shape the LLM's generated SQL (directly via prompt input or transitively via prompt-injection in data the LLM ingests) can read arbitrary files from the PostgreSQL host through ordinary `SELECT` queries, even with the agent's strict default configuration (`allow_dangerous_operations=False`, `allowed_statement_types=['SELECT']`). The payloads survive the statement-type allowlist (each is a `SELECT`) and pass through the regex blocklist (none of the function names match), then reach the live SQLAlchemy engine via `SQLChatAgent.run_query`. Version 0.64.0 contains a patch for the issue."}],"source":{"advisory":"GHSA-pmch-g965-grmr","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-07-10T20:53:14.249515Z","id":"CVE-2026-50180","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-07-10T20:59:17.652Z"}}]}}