CVE-2026-3409
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2Tags
Description
A security flaw has been discovered in eosphoros-ai db-gpt 0.7.5. Affected is the function importlib.machinery.SourceFileLoader.exec_module of the file /api/v1/serve/awel/flow/import of the component Flow Import Endpoint. Performing a manipulation as part of File results in code injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
Remote code injection in eosphoros-ai db-gpt 0.7.5 allows unauthenticated attackers to execute arbitrary code through malicious file uploads to the Flow Import endpoint. The vulnerability exploits unsafe module loading in the file import functionality and has public exploit code available. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Disable the /api/v1/serve/awel/flow/import endpoint or restrict access to trusted internal networks only. Within 7 days: Conduct an audit of recent flow imports to identify potential exploitation and implement network segmentation to isolate affected systems. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today