VulnerableCode Package Details - pkg:pypi/mindsdb@24.10.4.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-krac-rtac-2qe5 Aliases: CVE-2026-7711 GHSA-9f6m-65v9-x9g2	MindsDB has an Improper Access Control Issue A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.	26.1.0rc1 Affected by 0 other vulnerabilities.
VCID-qtua-yjhn-nqav Aliases: CVE-2026-27483 GHSA-4894-xqv6-vrfq	MindsDB: Path Traversal in /api/files Leading to Remote Code Execution There is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution.	25.9.1.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-stp6-86fa-cubn Aliases: CVE-2026-2531 GHSA-6xw9-2p64-7622 PYSEC-2026-91	A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 74d6f0fd4b630218519a700fbee1c05c7fd4b1ed. It is best practice to apply a patch to resolve this issue.	26.0.0rc1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-uab9-6bgh-efct Aliases: CVE-2025-68472 GHSA-qqhf-pm3j-96g7 PYSEC-2026-90	MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to clear_filename or equivalent checks. This vulnerability is fixed in 25.11.1.	25.11.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-krac-rtac-2qe5
Aliases:
CVE-2026-7711
GHSA-9f6m-65v9-x9g2

MindsDB has an Improper Access Control Issue A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

26.1.0rc1
Affected by 0 other vulnerabilities.

VCID-qtua-yjhn-nqav
Aliases:
CVE-2026-27483
GHSA-4894-xqv6-vrfq

MindsDB: Path Traversal in /api/files Leading to Remote Code Execution There is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution.

25.9.1.1
Affected by 3 other vulnerabilities.

VCID-stp6-86fa-cubn
Aliases:
CVE-2026-2531
GHSA-6xw9-2p64-7622
PYSEC-2026-91

A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 74d6f0fd4b630218519a700fbee1c05c7fd4b1ed. It is best practice to apply a patch to resolve this issue.

26.0.0rc1
Affected by 1 other vulnerability.

VCID-uab9-6bgh-efct
Aliases:
CVE-2025-68472
GHSA-qqhf-pm3j-96g7
PYSEC-2026-90

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to clear_filename or equivalent checks. This vulnerability is fixed in 25.11.1.

25.11.1
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T08:25:37.248685+00:00	GitLab Importer	Affected by	VCID-krac-rtac-2qe5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/mindsdb/CVE-2026-7711.yml	38.6.0
2026-06-06T06:57:45.810096+00:00	GitLab Importer	Affected by	VCID-qtua-yjhn-nqav	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/mindsdb/CVE-2026-27483.yml	38.6.0
2026-06-06T06:52:19.466967+00:00	GitLab Importer	Affected by	VCID-stp6-86fa-cubn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/mindsdb/CVE-2026-2531.yml	38.6.0
2026-06-06T06:37:31.283055+00:00	GitLab Importer	Affected by	VCID-uab9-6bgh-efct	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/mindsdb/CVE-2025-68472.yml	38.6.0
2026-06-05T17:04:56.463164+00:00	PyPI Importer	Affected by	VCID-stp6-86fa-cubn	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-05T17:04:50.049473+00:00	PyPI Importer	Affected by	VCID-uab9-6bgh-efct	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-02T04:23:56.011499+00:00	Pypa Importer	Affected by	VCID-stp6-86fa-cubn	https://github.com/pypa/advisory-database/blob/main/vulns/mindsdb/PYSEC-2026-91.yaml	38.6.0
2026-06-02T04:23:41.411384+00:00	Pypa Importer	Affected by	VCID-uab9-6bgh-efct	https://github.com/pypa/advisory-database/blob/main/vulns/mindsdb/PYSEC-2026-90.yaml	38.6.0