title: SQL injection in agent / MCP tool database query
id: ATR-2026-00570
rule_version: 1
status: experimental
description: An agent or MCP tool builds a SQL query from unvalidated input, letting an attacker (or prompt injection in retrieved content) inject a tautology, a UNION SELECT to read other tables, or a stacked DROP/DELETE. Generalizes a cluster of agent-app SQLi CVEs.
author: ATR Community
date: 2026/06/02
schema_version: '0.1'
detection_tier: pattern
maturity: experimental
severity: high
references:
  cve:
  - CVE-2026-7591
  - CVE-2026-4593
  - CVE-2026-5322
  - CVE-2026-30860
  cwe:
  - CWE-89
  external:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-30860
  owasp_llm:
    - LLM01:2025 - Prompt Injection
  owasp_agentic:
    - ASI06:2026 - Memory and Context Poisoning
  mitre_atlas:
    - AML.T0051.001 - Indirect
metadata_provenance:
  cve: human-authored
  cwe: human-authored
compliance:
  eu_ai_act:
    - article: "10"
      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the data-poisoning attempt (SQL injection in agent / MCP tool database query) affecting that data."
      strength: primary
    - article: "15"
      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
      strength: secondary
    - article: "9"
      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
      strength: secondary
  nist_ai_rmf:
    - subcategory: "MS.2.5"
      context: "NIST AI RMF MEASURE 2.5 (system validity and reliability demonstrated) is supported by this rule's detection of the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
      strength: primary
    - subcategory: "MS.2.7"
      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
      strength: secondary
  iso_42001:
    - clause: "8.2"
      context: "ISO/IEC 42001 Clause 8.2 (AI risk assessment) is informed by this rule, which detects the data-poisoning attempt (SQL injection in agent / MCP tool database query) as an assessed risk."
      strength: primary
    - clause: "8.1"
      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
      strength: secondary
tags:
  category: data-poisoning
  scan_target: runtime
  confidence: high
agent_source:
  type: llm_io
  framework:
  - any
  provider:
  - any
detection:
  condition: any
  false_positives: []
  conditions:
  - field: content
    operator: regex
    value: (?i)(?:'\s*or\s+'?1'?\s*=\s*'?1|\bor\s+1\s*=\s*1\b\s*(?:--|#|/\*|;|$))
    description: SQL boolean tautology (' OR '1'='1 / OR 1=1 --)
  - field: content
    operator: regex
    value: (?i)\bunion\s+(?:all\s+)?select\b.{0,120}\bfrom\b
    description: UNION SELECT ... FROM to read arbitrary tables
  - field: content
    operator: regex
    value: (?i);\s*(?:drop|delete|truncate)\s+(?:table|database)\b
    description: Stacked destructive query (; DROP/DELETE/TRUNCATE TABLE)
response:
  actions:
  - alert
  notify:
  - security_team
test_cases:
  true_positives:
  - input: username=admin' OR '1'='1
    expected: triggered
    description: attack 1
  - input: id=1 UNION SELECT username,password FROM users
    expected: triggered
    description: attack 2
  - input: '''; DROP TABLE users;--'
    expected: triggered
    description: attack 3
  - input: ?id=1 OR 1=1 --
    expected: triggered
    description: attack 4
  true_negatives:
  - input: SELECT * FROM users WHERE id = ?
    expected: not_triggered
    description: benign 1
  - input: query = "SELECT name FROM products"
    expected: not_triggered
    description: benign 2
  - input: if (a == 1 || b == 1) return
    expected: not_triggered
    description: benign 3
  - input: page.union of selected items from list
    expected: not_triggered
    description: benign 4
