CVE-2025-15597

LOW EPSS 41.8%
Published Mar 2, 20263mo ago · Modified Apr 29, 20262mo ago
2.1 CVSS 4.0
Low
Find Similar
Published Mar 2, 2026 3mo ago
Last Modified Apr 29, 2026 2mo ago

Description

A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. Such manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.0 mitigates this issue. The name of the patch is d640ac31d1ce64ce90e06cf7081163915c9fc28c. Upgrading the affected component is recommended. Multiple endpoints are affected. The vendor was contacted early about this disclosure.

CVSS Details

Base Score
2.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
41.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-266
CWE-284

Affected Products 1

VendorProductVersionRange
fit2cloudsqlbot* <1.5.0

References 17

  • github.com https://github.com/dataease/SQLBot/
    Product
  • github.com https://github.com/dataease/SQLBot/commit/d640ac31d1ce64ce90e06cf7081163915c9fc28c
    Patch
  • github.com https://github.com/dataease/SQLBot/releases/tag/v1.5.0
    Release Notes
  • github.com https://github.com/dataease/SQLBot/security/advisories/GHSA-h4xm-3q3p-5g6r
    ExploitVendor Advisory
  • github.com https://github.com/yaowenxiao721/Poc/blob/main/SQLBot/SQLBot-AIModel-Management-Missing-Authorization.md
    ExploitThird Party Advisory
  • github.com https://github.com/yaowenxiao721/Poc/blob/main/SQLBot/SQLBot-User-Management-Broken-Access-Control.md
    ExploitThird Party Advisory
  • vuldb.com https://vuldb.com/?ctiid.348291
    Permissions RequiredVDB Entry
  • vuldb.com https://vuldb.com/?id.348291
    Third Party AdvisoryVDB Entry
  • vuldb.com https://vuldb.com/?submit.706144
    Third Party AdvisoryVDB Entry
  • vuldb.com https://vuldb.com/?submit.707283
    Third Party AdvisoryVDB Entry
  • vuldb.com https://vuldb.com/?submit.707284
    Third Party AdvisoryVDB Entry
  • vuldb.com https://vuldb.com/?submit.707285
    Third Party AdvisoryVDB Entry
  • vuldb.com https://vuldb.com/?submit.707286
    Third Party AdvisoryVDB Entry
  • vuldb.com https://vuldb.com/?submit.707288
    Third Party AdvisoryVDB Entry
  • vuldb.com https://vuldb.com/?submit.707293
    Third Party AdvisoryVDB Entry
  • vuldb.com https://vuldb.com/?submit.707294
    Third Party AdvisoryVDB Entry
  • vuldb.com https://vuldb.com/?submit.707295
    Third Party AdvisoryVDB Entry

Remediation

  • github.com https://github.com/dataease/SQLBot/commit/d640ac31d1ce64ce90e06cf7081163915c9fc28c
    Patch