◈ AI Security Intelligence ← All terms
Attack  ·  Glossary

SQL injection via AI endpoints

Definition
A classic database attack technique applied to the interfaces AI plugins expose. By sending maliciously crafted text through an AI translation, search, or chatbot endpoint, an attacker can manipulate the underlying database query to extract all stored data—including the AI provider API keys the application stores alongside user records.
Why it matters
AI-powered plugins often store high-value secrets (API keys for OpenAI, Google, Anthropic) directly in the same database that their endpoints query, compounding a standard data breach into a full credential theft. A single unauthenticated SQL injection against an AI plugin can hand an attacker unlimited access to an organisation's AI services.
Demonstrated by recent findings
GPTranslate WordPress AI Translation Plugin — Unauthenticated SQL Injection (CVE-2026-49776)GPTranslate WordPress Plugin — Unauthenticated SQL Injection via AI Translation Endpoint (CVSS 9.3)CVE-2026-8335 — Aix-DB LLM Endpoint Allows Unauthenticated SQL Query Execution Against the Application Database
References
OWASP — SQL Injection
Track this in the live feed See how this plays out in real AI security and governance developments.
Open the feed →