Mindsdb
CVE-2026-2531
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 74d6f0fd4b630218519a700fbee1c05c7fd4b1ed. It is best practice to apply a patch to resolve this issue.
AnalysisAI
MindsDB versions up to 25.14.1 contain a server-side request forgery vulnerability in the file upload functionality that allows authenticated remote attackers to forge requests to internal or external systems. Public exploit code exists for this vulnerability, and affected organizations should apply patch 74d6f0fd4b630218519a700fbee1c05c7fd4b1ed or upgrade to a patched version immediately.
Technical ContextAI
Classified as CWE-918 (Server-Side Request Forgery (SSRF)). Affects Mindsdb. A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 74d6f0fd4b630218519a700fbee1c05c7fd4b1ed. It is best practice to apply a patch to resolve this issue.
RemediationAI
A vendor patch is available — apply it immediately. Validate file types by content. Store uploads outside web root. Restrict network access to the affected service where possible.
MindsDB is a platform for building artificial intelligence from enterprise data. Rated critical severity (CVSS 9.1), thi
MindsDB is a SQL Server for artificial intelligence. Rated critical severity (CVSS 9.1), this vulnerability is remotely
Remote code execution in MindsDB prior to version 25.9.1.1 allows authenticated attackers to bypass file upload restrict
Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a malicious
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the
An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the
An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one
An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenti
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciou
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-6xw9-2p64-7622