PyPI package
mindsdb
pkg:pypi/mindsdb
Vulnerabilities (23)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-7711 | Hig | 7.3 | <= 26.0.1 | — | May 4, 2026 | A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remot | |
| CVE-2026-27483 | — | < 25.9.1.1 | 25.9.1.1 | Feb 24, 2026 | MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.9.1.1, there is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution. The vulnerabilit | ||
| CVE-2026-2531 | Med | 6.3 | <= 25.14.1 | — | Feb 16, 2026 | A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed | |
| CVE-2025-68472 | — | < 25.11.1 | 25.11.1 | Jan 12, 2026 | MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensi | ||
| CVE-2024-45856 | — | <= 24.9.2.1 | — | Sep 12, 2024 | A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI. | ||
| CVE-2024-45855 | — | >= 23.10.2.0, <= 24.9.2.1 | — | Sep 12, 2024 | Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it. | ||
| CVE-2024-45854 | — | >= 23.10.3.0, <= 24.9.2.1 | — | Sep 12, 2024 | Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it. | ||
| CVE-2024-45853 | — | >= 23.10.2.0, <= 24.9.2.1 | — | Sep 12, 2024 | Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction. | ||
| CVE-2024-45852 | — | >= 23.3.2.0, <= 24.9.2.1 | — | Sep 12, 2024 | Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with. | ||
| CVE-2024-45851 | — | >= 23.10.5.0, < 24.7.4.1 | 24.7.4.1 | Sep 12, 2024 | An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list item creat | ||
| CVE-2024-45850 | — | >= 23.10.5.0, < 24.7.4.1 | 24.7.4.1 | Sep 12, 2024 | An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for site column cre | ||
| CVE-2024-45849 | — | >= 23.10.5.0, < 24.7.4.1 | 24.7.4.1 | Sep 12, 2024 | An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list creation. | ||
| CVE-2024-45848 | — | >= 23.12.4.0, < 24.7.4.1 | 24.7.4.1 | Sep 12, 2024 | An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the ChromaDB integration is installed on the server. If a specially crafted ‘INSERT’ query containing Python code is run against a database created with the ChromaD | ||
| CVE-2024-45847 | — | >= 23.11.4.2, < 24.7.4.1 | 24.7.4.1 | Sep 12, 2024 | An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is run against a database created with the spec | ||
| CVE-2024-45846 | — | >= 23.10.3.0, < 24.7.4.1 | 24.7.4.1 | Sep 12, 2024 | An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the | ||
| CVE-2024-24759 | — | < 23.12.4.2 | 23.12.4.2 | Sep 5, 2024 | MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version | ||
| CVE-2024-3575 | — | <= 23.6.3.1 | — | Apr 16, 2024 | Cross-site Scripting (XSS) - Stored in mindsdb/mindsdb | ||
| CVE-2023-50731 | — | < 23.11.4.1 | 23.11.4.1 | Dec 22, 2023 | MindsDB is a SQL Server for artificial intelligence. Prior to version 23.11.4.1, the `put` method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled name value, which is used in a temporary file name, which is afterwards opened for writing on l | ||
| CVE-2023-49796 | — | < 23.11.4.1 | 23.11.4.1 | Dec 11, 2023 | MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the issue. | ||
| CVE-2023-49795 | — | < 23.11.4.1 | 23.11.4.1 | Dec 11, 2023 | MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a server-side request forgery vulnerability in `file.py`. This can lead to limited information disclosure. Users should use MindsDB's `staging` branch or v23.11.4.1, which conta |
- affected <= 26.0.1
A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remot
- CVE-2026-27483Feb 24, 2026affected < 25.9.1.1fixed 25.9.1.1
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.9.1.1, there is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution. The vulnerabilit
- affected <= 25.14.1
A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed
- CVE-2025-68472Jan 12, 2026affected < 25.11.1fixed 25.11.1
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensi
- CVE-2024-45856Sep 12, 2024affected <= 24.9.2.1
A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI.
- CVE-2024-45855Sep 12, 2024affected >= 23.10.2.0, <= 24.9.2.1
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it.
- CVE-2024-45854Sep 12, 2024affected >= 23.10.3.0, <= 24.9.2.1
Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it.
- CVE-2024-45853Sep 12, 2024affected >= 23.10.2.0, <= 24.9.2.1
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction.
- CVE-2024-45852Sep 12, 2024affected >= 23.3.2.0, <= 24.9.2.1
Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with.
- CVE-2024-45851Sep 12, 2024affected >= 23.10.5.0, < 24.7.4.1fixed 24.7.4.1
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list item creat
- CVE-2024-45850Sep 12, 2024affected >= 23.10.5.0, < 24.7.4.1fixed 24.7.4.1
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for site column cre
- CVE-2024-45849Sep 12, 2024affected >= 23.10.5.0, < 24.7.4.1fixed 24.7.4.1
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list creation.
- CVE-2024-45848Sep 12, 2024affected >= 23.12.4.0, < 24.7.4.1fixed 24.7.4.1
An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the ChromaDB integration is installed on the server. If a specially crafted ‘INSERT’ query containing Python code is run against a database created with the ChromaD
- CVE-2024-45847Sep 12, 2024affected >= 23.11.4.2, < 24.7.4.1fixed 24.7.4.1
An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is run against a database created with the spec
- CVE-2024-45846Sep 12, 2024affected >= 23.10.3.0, < 24.7.4.1fixed 24.7.4.1
An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the
- CVE-2024-24759Sep 5, 2024affected < 23.12.4.2fixed 23.12.4.2
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version
- CVE-2024-3575Apr 16, 2024affected <= 23.6.3.1
Cross-site Scripting (XSS) - Stored in mindsdb/mindsdb
- CVE-2023-50731Dec 22, 2023affected < 23.11.4.1fixed 23.11.4.1
MindsDB is a SQL Server for artificial intelligence. Prior to version 23.11.4.1, the `put` method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled name value, which is used in a temporary file name, which is afterwards opened for writing on l
- CVE-2023-49796Dec 11, 2023affected < 23.11.4.1fixed 23.11.4.1
MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the issue.
- CVE-2023-49795Dec 11, 2023affected < 23.11.4.1fixed 23.11.4.1
MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a server-side request forgery vulnerability in `file.py`. This can lead to limited information disclosure. Users should use MindsDB's `staging` branch or v23.11.4.1, which conta
Page 1 of 2