Beyond Static Rules: Automated Discovery of Latent Vulnerabilities in Text-to-SQL

Hanqing Wang, Yongdong Chi, Jian Yang, Lei Yang, Jiehui Zhao, Yun Chen, Guanhua Chen

Abstract
While Large Language Models (LLMs) have achieved remarkable success in Text-to-SQL tasks, their deployment in real-world environments is hindered by latent reliability issues. Identifying these latent weaknesses is critical for building trustworthy database interfaces, yet current diagnostic approaches rely heavily on static, expert-defined rules, which lack the capability for systematic and automated exploration. To bridge this gap, we propose SAGE (Systematic Automated Guided Exploration), a novel framework designed to autonomously uncover latent failure patterns in LLM-based Text-to-SQL generation. Specifically, SAGE generates vulnerability hypotheses for given samples and references a continuously evolving Vulnerability Codex to design targeted perturbations, thereby iteratively verifying and documenting potential defects. Extensive experiments on state-of-the-art open-source LLMs demonstrate that SAGE uncovers a substantial number of failure cases, highlighting the significant fragility of current models. Furthermore, our analysis reveals that the Vulnerability Codex exhibits strong cross-model transferability, indicating that the discovered patterns represent generalized structural weaknesses. Finally, we explore SAGE’s potential for remediation. Furthermore, a preliminary attempt at lightweight fine-tuning on the generated samples yields promising improvements, suggesting a scalable pathway for closing the reliability loop in future work.
Anthology ID:
2026.findings-acl.842
Volume:
Findings of the Association for Computational Linguistics: ACL 2026
Month:
July
Year:
2026
Address:
San Diego, California, United States
Editors:
Maria Liakata, Viviane P. Moreira, Jiajun Zhang, David Jurgens
Venue:
Findings
SIG:
Publisher:
Association for Computational Linguistics
Note:
Pages:
17065–17082
Language:
URL:
https://aclanthology.org/2026.findings-acl.842/
DOI:
Bibkey:
Cite (ACL):
Hanqing Wang, Yongdong Chi, Jian Yang, Lei Yang, Jiehui Zhao, Yun Chen, and Guanhua Chen. 2026. Beyond Static Rules: Automated Discovery of Latent Vulnerabilities in Text-to-SQL. In Findings of the Association for Computational Linguistics: ACL 2026, pages 17065–17082, San Diego, California, United States. Association for Computational Linguistics.
Cite (Informal):
Beyond Static Rules: Automated Discovery of Latent Vulnerabilities in Text-to-SQL (Wang et al., Findings 2026)
Copy Citation:
PDF:
https://aclanthology.org/2026.findings-acl.842.pdf
Checklist:
 2026.findings-acl.842.checklist.pdf
PDF Cite Search Checklist Fix data