ByteOS Network

CVE Vulnerability Details :

CVE-2025-15597

PUBLISHED

More Info Official Page

Assigner-VulDB

Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5

Published At-02 Mar, 2026 | 06:16

Updated At-02 Mar, 2026 | 06:16

▼CVE Numbering Authority (CNA)

Dataease SQLBot API Endpoint assistant.py access control

A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. Such manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.0 mitigates this issue. The name of the patch is d640ac31d1ce64ce90e06cf7081163915c9fc28c. Upgrading the affected component is recommended. Multiple endpoints are affected. The vendor was contacted early about this disclosure.

Affected Products

Vendor

DataEase (FIT2CLOUD Inc.)

Product

SQLBot

Modules

API Endpoint

Versions

Affected

1.0
1.1
1.2
1.3
1.4.0

Unaffected

1.5.0

Problem Types

Type	CWE ID	Description
CWE	CWE-284	Improper Access Controls
CWE	CWE-266	Incorrect Privilege Assignment

Type: CWE

CWE ID: CWE-284

Description: Improper Access Controls

Type: CWE

CWE ID: CWE-266

Description: Incorrect Privilege Assignment

Metrics

Version	Base score	Base severity	Vector
4.0	5.3	MEDIUM	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
3.1	6.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
3.0	6.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
2.0	6.5	N/A	AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Version: 4.0

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Version: 3.1

Base score: 6.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Version: 3.0

Base score: 6.3

Base severity: MEDIUM

Vector:

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Version: 2.0

Base score: 6.5

Base severity: N/A

Vector:

AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Credits

reporter

yaowenxiao (VulDB User)

coordinator

VulDB

Timeline

Event	Date
Advisory disclosed	2026-03-01 00:00:00
VulDB entry created	2026-03-01 01:00:00
VulDB entry last update	2026-03-01 07:35:46

Event: Advisory disclosed

Date: 2026-03-01 00:00:00

Event: VulDB entry created

Date: 2026-03-01 01:00:00

Event: VulDB entry last update

Date: 2026-03-01 07:35:46

References

Hyperlink	Resource
https://vuldb.com/?id.348291	vdb-entry
https://vuldb.com/?ctiid.348291	signature permissions-required
https://vuldb.com/?submit.706144	third-party-advisory
https://vuldb.com/?submit.707283	third-party-advisory
https://vuldb.com/?submit.707284	third-party-advisory
https://vuldb.com/?submit.707285	third-party-advisory
https://vuldb.com/?submit.707286	third-party-advisory
https://vuldb.com/?submit.707288	third-party-advisory
https://vuldb.com/?submit.707293	third-party-advisory
https://vuldb.com/?submit.707294	third-party-advisory
https://vuldb.com/?submit.707295	third-party-advisory
https://github.com/yaowenxiao721/Poc/blob/main/SQLBot/SQLBot-User-Management-Broken-Access-Control.md	exploit
https://github.com/dataease/SQLBot/security/advisories/GHSA-h4xm-3q3p-5g6r	related
https://github.com/yaowenxiao721/Poc/blob/main/SQLBot/SQLBot-AIModel-Management-Missing-Authorization.md	exploit
https://github.com/dataease/SQLBot/commit/d640ac31d1ce64ce90e06cf7081163915c9fc28c	patch
https://github.com/dataease/SQLBot/releases/tag/v1.5.0	patch
https://github.com/dataease/SQLBot/	product