PatchSiren cyber security CVE debrief
CVE-2026-5586 zhongyu09 CVE debrief
CVE-2026-5586 describes a SQL injection weakness in zhongyu09 openchatbi up to version 0.2.1, affecting an unknown function in the Multi-stage Text2SQL Workflow. The issue is reported as remotely exploitable through manipulation of the keywords argument, and the exploit has been publicly disclosed. NVD currently marks the vulnerability status as Deferred.
- Vendor
- zhongyu09
- Product
- openchatbi
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-05
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-04-05
- Advisory updated
- 2026-05-20
Who should care
Teams running or evaluating openchatbi deployments, especially any environment that exposes the Multi-stage Text2SQL Workflow to remote users. Security owners should also care if the application is integrated into workflows that handle sensitive data or generate SQL from user input.
Technical summary
The available source material says the vulnerable component is the Multi-stage Text2SQL Workflow in openchatbi up to 0.2.1. Manipulating the keywords argument can lead to SQL injection. NVD maps the issue to CWE-89 and CWE-74 and provides a CVSS v4.0 vector indicating network reachability with low impact. No CPE criteria are listed in the NVD record, and the exact affected function is not named in the source corpus.
Defensive priority
Moderate priority despite the low CVSS score. The vulnerability is remote and publicly disclosed, so defenders should treat it as actionable even if the nominal impact is low.
Recommended defensive actions
- Upgrade or replace affected openchatbi versions at or below 0.2.1 once a fixed release is available.
- Review any code paths that pass the keywords argument into SQL construction and ensure parameterized queries or equivalent safe query builders are used.
- Restrict exposure of the Multi-stage Text2SQL Workflow to trusted users or internal networks until remediation is complete.
- Monitor application logs for unusual keyword values or unexpected query patterns tied to this workflow.
- Validate whether any deployed instance of openchatbi is using the referenced workflow and document exposure status for incident response.
Evidence notes
Source material includes the NVD CVE record (modified 2026-05-20) and CNA-provided references. The NVD entry states vulnStatus Deferred and links to the project repository, an issue report, and Vuldb advisory pages. The description explicitly says the flaw affects openchatbi up to 0.2.1, is remotely exploitable, and can lead to SQL injection via manipulation of the keywords argument.
Official resources
Publicly disclosed, with exploit availability noted in the source description. CVE publishedAt: 2026-04-05T18:16:17.490Z; NVD modifiedAt: 2026-05-20T10:16:28.600Z.