CVE-2026-4997

Vulnerability

Details

The vulnerability resides in the is_sql_query_safe() function within pandasai/helpers/sql_sanitizer.py. This function is designed to validate SQL queries generated by large language models (LLMs) before execution, ensuring they are safe. However, it only checks for a blocklist of keywords such as INSERT, DROP, DELETE, etc., and fails to block DuckDB-specific table functions like read_csv_auto(), read_parquet(), and read_json(). As a result, a SELECT query that includes these functions can pass all safety checks and be executed by DuckDB [1].

Exploitation

Method

An attacker can craft a query such as SELECT * FROM read_csv_auto('/etc/passwd', header=False, sep=':') which is a valid SELECT statement and does not contain any blocked keywords. The query is then executed by the LocalDatasetLoader.execute_query() method, which hands the validated query directly to DuckDB for execution without further scrutiny [1]. The attack can be initiated remotely, and the vendor did not respond to disclosures [1].

Impact

Successful exploitation allows an attacker to read arbitrary files from the server's filesystem, including sensitive files like /etc/passwd, .env files containing API keys, or SSH private keys. This can lead to further compromise of the server or associated systems [1].

Mitigation

Status

As of the advisory date, the vendor has not responded to the disclosure, and no official patch is available for PandasAI up to version 3.0.0. Users are advised to restrict access to the affected endpoints or implement additional input validation until a fix is released [1].