This vulnerability affects zhongyu09 openchatbi versions 0.2.0 and 0.2.1 in an unknown function within the Multi-stage Text2SQL Workflow component. Manipulating the 'keywords' argument can lead to SQL injection, enabling an attacker to interfere with the application's database queries remotely. The CVSS 4.0 base score is 5.3 (medium), reflecting network attack vector, low complexity, no user interaction, and limited privileges required. The vendor was contacted but did not respond, and no patch or official remediation is currently available.

Successful exploitation could allow an attacker to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access or modification. However, the impact is limited by the requirement of limited privileges and low exploit complexity. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or vendor response is available, users should consider implementing application-level input validation and SQL query parameterization as temporary mitigations. Monitor for updates from the vendor or trusted security sources for an official patch.