CNNVD-202601-3350 Information

CNNVD ID

CNNVD-202601-3350

Related CVE

CVE-2025-69285

• CNNVD Published: 2026-01-21

Description (Chinese)

SQLBot是DataEase开源的一个基于大模型和RAG的智能问数系统。 SQLBot 1.5.0之前版本存在访问控制错误漏洞，该漏洞源于/api/v1/datasource/uploadExcel端点缺少身份验证，可能导致未经身份验证的攻击者上传任意文件并注入数据到数据库。

Description (English)

SQLBot is a smart asking system based on large models and RAG from DataEase open source. Prior to SQLBot 1.5.0, there was a bug in access control resulting from the lack of identification at the /api/v1/datasource/uploadExcel end, which could lead to the uploading of random documents and the injection of data into the database by unidentified assailants.

Hazard Level

Low

Vulnerability Type

访问控制错误

Affected Vendor

DataEase

Published

2026-01-21

Last Modified

2026-02-24

References

https://github.com/dataease/SQLBot/security/advisories/GHSA-crfm-cch4-hjpv https://github.com/dataease/SQLBot/releases/tag/v1.5.0 https://access.redhat.com/security/cve/cve-2025-69285

Patch

https://sqlbot.org/