diff --git a/zhenxun/builtin_plugins/web_ui/api/configure/__init__.py b/zhenxun/builtin_plugins/web_ui/api/configure/__init__.py
index f04fe5fe..abadd03e 100644
--- a/zhenxun/builtin_plugins/web_ui/api/configure/__init__.py
+++ b/zhenxun/builtin_plugins/web_ui/api/configure/__init__.py
@@ -52,7 +52,10 @@ async def _(setting: Setting) -> Result:
         port = setting.port
     if setting.db_url:
         if setting.db_url.startswith("sqlite"):
+            base_dir = Path().resolve()
             db_path = Path(setting.db_url.split(":")[-1])
+            if db_path.is_absolute() and not db_path.is_relative_to(base_dir):
+                return Result.fail("数据库路径不在项目根目录内。")
             db_path.parent.mkdir(parents=True, exist_ok=True)
         env_text = env_text.replace('DB_URL = ""', f'DB_URL = "{setting.db_url}"')
     if setting.username: