Skip to main content

Db Gpt CVE-2026-4505

| EUVDEUVD-2026-13806 LOW
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-03-20 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
CVSS changed
Apr 22, 2026 - 21:37 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
PoC Detected
Mar 23, 2026 - 14:32 vuln.today
Public exploit code
EUVD ID Assigned
Mar 20, 2026 - 20:15 euvd
EUVD-2026-13806
Analysis Generated
Mar 20, 2026 - 20:15 vuln.today
CVE Published
Mar 20, 2026 - 20:02 nvd
MEDIUM 6.3

DescriptionCVE.org

A vulnerability has been found in eosphoros-ai DB-GPT up to 0.7.5. This issue affects the function module_plugin.refresh_plugins of the file packages/dbgpt-serve/src/dbgpt_serve/agent/hub/controller.py of the component FastAPI Endpoint. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

An unrestricted file upload vulnerability exists in eosphoros-ai DB-GPT versions up to 0.7.5 within the module_plugin.refresh_plugins function of the FastAPI endpoint located at packages/dbgpt-serve/src/dbgpt_serve/agent/hub/controller.py. An authenticated attacker can remotely upload arbitrary files to the system, potentially achieving remote code execution or system compromise. A public proof-of-concept exploit is available on GitHub, and the vendor has not responded to early disclosure attempts, indicating patches may not be forthcoming.

Technical ContextAI

DB-GPT is a large language model framework built on FastAPI (a modern Python web framework). The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), representing a failure to properly validate file uploads at the application layer. The affected component is a FastAPI endpoint handler responsible for refreshing plugin modules, which apparently accepts and persists uploaded files without sufficient validation of file type, size, or content. The CPE cpe:2.3:a:eosphoros-ai:db-gpt:*:*:*:*:*:*:*:* indicates all versions up to 0.7.5 are in scope. The root cause is improper input validation and insufficient access controls on the upload mechanism, allowing authenticated users to bypass intended restrictions.

RemediationAI

Immediately upgrade eosphoros-ai DB-GPT to a version greater than 0.7.5 if available from the project repository (check https://github.com/eosphoros-ai/DB-GPT for releases). If no patched version is available due to vendor non-responsiveness, implement compensating controls: restrict network access to the FastAPI endpoint to trusted internal networks only, enforce authentication and authorization on all upload endpoints via reverse proxy rules, disable the module_plugin.refresh_plugins functionality if not operationally required, and implement strict file upload validation at the reverse proxy layer (block executable file types, enforce size limits, and scan uploads with antivirus/sandbox tools). Monitor audit logs for suspicious file uploads and consider containerizing DB-GPT deployments to limit blast radius of potential file-based exploits.

More in Db Gpt

View all
CVE-2024-10902 CRITICAL POC
9.8 Mar 20

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /v1/personal/agent/upload` is vulnerable to Arbitrary File Uplo

CVE-2024-10835 CRITICAL POC
9.8 Mar 20

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/sql/run` allows execution of arbitrary SQL queri

CVE-2024-10833 CRITICAL POC
9.1 Mar 20

eosphoros-ai/db-gpt version 0.6.0 is vulnerable to an arbitrary file write through the knowledge API. Rated critical sev

CVE-2024-10831 CRITICAL POC
9.1 Mar 20

In eosphoros-ai/db-gpt version 0.6.0, the endpoint for uploading files is vulnerable to absolute path traversal. Rated c

CVE-2024-10834 CRITICAL POC
9.1 Mar 20

eosphoros-ai/db-gpt version 0.6.0 contains a vulnerability in the RAG-knowledge endpoint that allows for arbitrary file

CVE-2024-10830 HIGH POC
8.2 Mar 20

A Path Traversal vulnerability exists in the eosphoros-ai/db-gpt version 0.6.0 at the API endpoint `/v1/resource/file/de

CVE-2025-0452 HIGH POC
8.2 Mar 20

eosphoros-ai/DB-GPT version latest is vulnerable to arbitrary file deletion on Windows systems via the '/v1/agent/hub/up

CVE-2024-10906 HIGH POC
8.1 Mar 20

In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance

CVE-2026-4504 MEDIUM POC
5.5 Mar 20

SQL injection in eosphoros-ai db-gpt versions up to 0.7.5 allows unauthenticated remote attackers to manipulate the /api

CVE-2024-10901 CRITICAL POC
9.8 Mar 20

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/chart/run` allows execution of arbitrary SQL que

CVE-2024-10829 HIGH POC
7.5 Mar 20

A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of eosphoros-ai/db-gpt v0

Share

CVE-2026-4505 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy