SQL Injection Affecting langroid package, versions [,0.64.0)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.69% (49th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about SQL Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-LANGROID-17816645
  • published4 Jul 2026
  • disclosed2 Jul 2026
  • creditUnknown

Introduced: 2 Jul 2026

NewCVE-2026-50180  (opens in a new tab)
CWE-22  (opens in a new tab)
CWE-89  (opens in a new tab)

How to fix?

Upgrade langroid to version 0.64.0 or higher.

Overview

langroid is a Harness LLMs with Multi-Agent Programming

Affected versions of this package are vulnerable to SQL Injection via insufficient filtering in the _validate_query process. An attacker can access arbitrary files on the database host and perform filesystem reconnaissance by injecting crafted SQL queries that evade the blocklist and are executed by the backend. This is possible when the attacker can influence the SQL generated by the LLM, such as through prompt input or prompt injection in ingested data.

CVSS Base Scores

version 4.0
version 3.1