Skip to main content

txtai CVE-2026-58449

| EUVDEUVD-2026-40418 CRITICAL
Code Injection (CWE-94)
2026-06-30 VulnCheck GHSA-m8p4-rrq5-qvmf
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable and unauthenticated when no TOKEN is set (PR:N), but the required exposed/token-less/writable non-default deployment justifies AC:H; the resolved callable runs in-process giving full C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 30, 2026 - 22:29 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 30, 2026 - 22:28 vuln.today
Analysis Updated
Jun 30, 2026 - 22:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 22:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Jun 30, 2026 - 22:02 vuln.today

DescriptionCVE.org

txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolver, which performs __import__ and getattr on the caller-supplied dotted path with no allowlist. When the API is exposed with no TOKEN configured (authentication is opt-in, so all endpoints are unauthenticated) and the index is configured writable, a remote attacker can set function to an arbitrary callable such as subprocess.getoutput, achieving remote code execution as the server process during reindexing. Exploitation requires those deployment conditions (API exposed, no TOKEN, writable index); it is not the default configuration. The fix gates the endpoint behind a new reindex configuration flag.

AnalysisAI

Remote code execution in txtai through 9.10.0 lets a remote attacker reach the API /reindex endpoint and supply an arbitrary dotted callable (for example subprocess.getoutput) that the server imports and invokes during reindexing, running commands as the server process. The flaw is exploitable only when the API is network-exposed with no TOKEN set (so all endpoints are unauthenticated) and the index is writable - not the default posture. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate exposed token-less txtai API
Delivery
POST to /reindex with function=subprocess.getoutput
Exploit
Resolver imports and calls attacker callable
Execution
Command runs as server process
Impact
Full host compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires a specific non-default deployment: the txtai HTTP API must be network-reachable, no TOKEN may be configured (authentication is opt-in, so an unset TOKEN leaves every endpoint unauthenticated), and the index must be configured writable so the /reindex endpoint will execute. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mostly aligned toward high severity but tempered by configuration dependence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers a network-reachable txtai API instance running without a TOKEN and with a writable index. They send a single request to /reindex with the function parameter set to a callable such as subprocess.getoutput plus a shell command; txtai resolves and invokes it during reindexing, executing the command as the server process. …
Remediation Apply the upstream fix in commit 11b32da (https://github.com/neuml/txtai/commit/11b32da720f03276199ebc5583c15fc5d1ccafd3), which gates the /reindex endpoint behind a new 'reindex' configuration flag; upgrade to the first tagged release that includes this commit (Upstream fix available via commit; released patched version not independently confirmed, so verify against the vendor changelog). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Verify TOKEN authentication is enforced on all txtai API endpoints; restrict network access to the txtai service via firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58449 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy