Skip to main content

agno CVE-2026-10105

| EUVDEUVD-2026-33358 HIGH
SQL Injection (CWE-89)
2026-05-29 VulnCheck GHSA-82m5-3pcp-hccq
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 29, 2026 - 18:29 vuln.today
v3 (cvss_changed)
Analysis Updated
May 29, 2026 - 18:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 29, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
May 29, 2026 - 18:22 NVD
8.3 (HIGH) 8.7 (HIGH)
Source Code Evidence Fetched
May 29, 2026 - 17:55 vuln.today
Analysis Generated
May 29, 2026 - 17:55 vuln.today

DescriptionCVE.org

agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the delete_by_metadata() method. Attackers can exploit the unsafe f-string interpolation in clickhousedb.py to delete all rows, target specific rows, or extract information through error-based or blind SQL injection techniques.

AnalysisAI

SQL injection in agno 2.6.5's ClickHouse vector database backend allows authenticated attackers to inject arbitrary SQL via metadata keys and values passed to delete_by_metadata(). The flaw stems from unsafe f-string interpolation in clickhousedb.py and enables row deletion, targeted data tampering, and information extraction through error-based or blind SQLi. No public exploit identified at time of analysis, but a vendor patch (PR #7883) is available and the issue was disclosed by VulnCheck.

Technical ContextAI

agno is an open-source Python framework for building AI agents (CPE cpe:2.3:a:agno-agi:agno) that integrates with multiple vector database backends, including ClickHouse via the clickhouse_connect driver. The vulnerability is a classic CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): the delete_by_metadata() method in libs/agno/agno/vectordb/clickhouse/clickhousedb.py iterated over caller-supplied metadata dictionaries and built ClickHouse JSONExtractString/JSONExtractFloat/JSONExtractBool WHERE conditions using Python f-string interpolation of both the dict key and value. Because neither identifier nor literal was passed through the ClickHouse named-parameter system ({name:Type} placeholders), any string that escaped the surrounding single quotes - for example a key containing ') = 1 OR (JSONExtractString(toString(filters), ' - was concatenated directly into the executed SQL. The fix replaces interpolation with named ClickHouse parameters (meta_key_N / meta_val_N typed as String, Float64, or Bool) so the driver performs proper escaping.

RemediationAI

Patch available per vendor advisory: upgrade agno to the release that contains PR https://github.com/agno-agi/agno/pull/7883, which rewrites delete_by_metadata to pass metadata keys and values as ClickHouse named parameters ({meta_key_N:String} / {meta_val_N:String|Float64|Bool}) instead of f-string-interpolated literals; the exact released patched version is not independently confirmed from the provided data, so pin to the first agno tag that includes commits 26a7439 and a0ec993. Until you can upgrade, the most effective compensating control is to stop forwarding untrusted metadata into ClickHouseDb.delete_by_metadata - either restrict the call site to operator-only code paths, or wrap it with a strict allowlist that rejects any key not matching ^[A-Za-z0-9_]+$ and coerces values to expected types before the call; this preserves functionality for trusted callers but blocks injection payloads. If agent tools expose deletion to end users, disable the delete-by-metadata tool entirely as an interim measure, accepting the loss of programmatic vector cleanup. Track the upstream issue at https://github.com/agno-agi/agno/issues/7866 and the VulnCheck advisory at https://www.vulncheck.com/advisories/agno-sql-injection-via-clickhouse-delete-by-metadata for a confirmed fixed version.

Share

CVE-2026-10105 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy