Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the delete_by_metadata() method. Attackers can exploit the unsafe f-string interpolation in clickhousedb.py to delete all rows, target specific rows, or extract information through error-based or blind SQL injection techniques.
AnalysisAI
SQL injection in agno 2.6.5's ClickHouse vector database backend allows authenticated attackers to inject arbitrary SQL via metadata keys and values passed to delete_by_metadata(). The flaw stems from unsafe f-string interpolation in clickhousedb.py and enables row deletion, targeted data tampering, and information extraction through error-based or blind SQLi. No public exploit identified at time of analysis, but a vendor patch (PR #7883) is available and the issue was disclosed by VulnCheck.
Technical ContextAI
agno is an open-source Python framework for building AI agents (CPE cpe:2.3:a:agno-agi:agno) that integrates with multiple vector database backends, including ClickHouse via the clickhouse_connect driver. The vulnerability is a classic CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): the delete_by_metadata() method in libs/agno/agno/vectordb/clickhouse/clickhousedb.py iterated over caller-supplied metadata dictionaries and built ClickHouse JSONExtractString/JSONExtractFloat/JSONExtractBool WHERE conditions using Python f-string interpolation of both the dict key and value. Because neither identifier nor literal was passed through the ClickHouse named-parameter system ({name:Type} placeholders), any string that escaped the surrounding single quotes - for example a key containing ') = 1 OR (JSONExtractString(toString(filters), ' - was concatenated directly into the executed SQL. The fix replaces interpolation with named ClickHouse parameters (meta_key_N / meta_val_N typed as String, Float64, or Bool) so the driver performs proper escaping.
RemediationAI
Patch available per vendor advisory: upgrade agno to the release that contains PR https://github.com/agno-agi/agno/pull/7883, which rewrites delete_by_metadata to pass metadata keys and values as ClickHouse named parameters ({meta_key_N:String} / {meta_val_N:String|Float64|Bool}) instead of f-string-interpolated literals; the exact released patched version is not independently confirmed from the provided data, so pin to the first agno tag that includes commits 26a7439 and a0ec993. Until you can upgrade, the most effective compensating control is to stop forwarding untrusted metadata into ClickHouseDb.delete_by_metadata - either restrict the call site to operator-only code paths, or wrap it with a strict allowlist that rejects any key not matching ^[A-Za-z0-9_]+$ and coerces values to expected types before the call; this preserves functionality for trusted callers but blocks injection payloads. If agent tools expose deletion to end users, disable the delete-by-metadata tool entirely as an interim measure, accepting the loss of programmatic vector cleanup. Track the upstream issue at https://github.com/agno-agi/agno/issues/7866 and the VulnCheck advisory at https://www.vulncheck.com/advisories/agno-sql-injection-via-clickhouse-delete-by-metadata for a confirmed fixed version.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33358
GHSA-82m5-3pcp-hccq