CVE-2026-4230

The vulnerability resides in the update_sql endpoint within src/vanna/legacy/flask/__init__.py. Unlike other endpoints that apply input validation via is_sql_valid(), this endpoint directly stores the user-supplied SQL into a shared cache without any sanitization or authentication checks [1]. The corresponding run_sql endpoint then retrieves the cached SQL and executes it against the backend database, again without validation, allowing attackers to bypass existing security controls [1].

Exploitation is straightforward: an attacker sends a POST request to /api/v0/update_sql with arbitrary SQL in the JSON body, then immediately calls /api/v0/run_sql with the same cache identifier. The default NoAuth configuration means no credentials are required, enabling remote, unauthenticated attacks [1]. This design flaw circumvents the more limited validations in the generate_sql endpoint and works across all supported database backends.

The impact is severe: an attacker can execute any SQL command, including DROP TABLE, data exfiltration, and – depending on the database – arbitrary file reads (e.g., pg_read_file on PostgreSQL) or remote code execution (e.g., xp_cmdshell on SQL Server) [1]. This vulnerability is considered more dangerous than previously disclosed CVEs (CVE-2024-7764 and CVE-2024-8055) because it requires no LLM manipulation or regex bypass and is 100% deterministic [1].

As of the advisory date, the vendor has not responded to disclosure, and no official patch or workaround has been released [1]. Users of vanna versions up to 2.0.2 are advised to restrict network access to the API, enforce strong authentication, or implement a reverse proxy with SQL injection filtering until a fix is available.