mindsdb
PyPI22 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting mindsdbpage 1 of 1
- CVE-2022-23522HIGHCVSS 8.5EG 8.5✓ Fixed in 22.11.4.32023-03-30
vulnerable: 0.6.5 ... 22.9.5.4 (386 versions)
MindsDB is an open source machine learning platform. An unsafe extraction is being performed using `shutil.unpack_archive()` from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location.…
- CVE-2023-30620HIGHCVSS 7.5EG 7.5✓ Fixed in 23.2.1.02023-04-21
vulnerable: 0.6.5 ... 23.1.5.0 (394 versions)
mindsdb is a Machine Learning platform to help developers build AI solutions. In affected versions an unsafe extraction is being performed using `tarfile.extractall()` from a remotely retrieved tarball. Which may lead to the writing of the…
- CVE-2023-38699CRITICALCVSS 9.1EG 9.1✓ Fixed in 23.7.4.02023-08-04
vulnerable: 0.6.5 ... 23.7.3.1 (432 versions)
MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with `verify=False` disables SSL certificate checks. This rule enforces always verifying SSL certif…
- CVE-2023-49795MEDIUMCVSS 6.5EG 6.5✓ Fixed in 23.11.4.12023-12-11
vulnerable: 0.6.5 ... 23.9.3.1 (448 versions)
MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a server-side request forgery vulnerability in `file.py`. This can lead to limited information disclosure. Users should use MindsDB's `s…
- CVE-2023-49796MEDIUMCVSS 5.3EG 5.3✓ Fixed in 8d13c9c28ebcf3b36509eb679378004d4648d8fe2023-12-11
vulnerable: 0.6.5 ... 26.1.0 (580 versions)
MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the i…
- CVE-2023-50731CRITICALCVSS 9.1EG 9.1✓ Fixed in 23.11.4.12023-12-22
vulnerable: 0.6.5 ... 23.9.3.1 (448 versions)
MindsDB is a SQL Server for artificial intelligence. Prior to version 23.11.4.1, the `put` method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled name value, which is used in a temporary file name, wh…
- CVE-2024-24759CRITICALCVSS 9.3EG 9.3✓ Fixed in 23.12.4.22024-09-05
vulnerable: 0.6.5 ... 23.9.3.1 (452 versions)
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability ca…
- CVE-2024-3575MEDIUMCVSS 6.1EG 5.82024-04-16
vulnerable: 0.6.5 ... 23.6.3.1 (426 versions)
Cross-site Scripting (XSS) - Stored in mindsdb/mindsdb
- CVE-2024-45846HIGHCVSS 8.8EG 8.8✓ Fixed in 24.7.4.12024-09-12
vulnerable: 23.10.3.0 ... 24.7.4.0 (31 versions)
An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python cod…
- CVE-2024-45847HIGHCVSS 8.8EG 8.8✓ Fixed in 24.7.4.12024-09-12
vulnerable: 23.11.4.4a6 ... 24.7.4.0 (25 versions)
An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is…
- CVE-2024-45848HIGHCVSS 8.8EG 8.8✓ Fixed in 24.7.4.12024-09-12
vulnerable: 23.12.4.0 ... 24.7.4.0 (24 versions)
An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the ChromaDB integration is installed on the server. If a specially crafted ‘INSERT’ query containing Python code is ru…
- CVE-2024-45849HIGHCVSS 8.8EG 8.8✓ Fixed in 24.7.4.12024-09-12
vulnerable: 23.10.5.0 ... 24.7.4.0 (29 versions)
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘IN…
- CVE-2024-45850HIGHCVSS 8.8EG 8.8✓ Fixed in 24.7.4.12024-09-12
vulnerable: 23.10.5.0 ... 24.7.4.0 (29 versions)
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘IN…
- CVE-2024-45851HIGHCVSS 8.8EG 8.8✓ Fixed in 24.7.4.12024-09-12
vulnerable: 23.10.5.0 ... 24.7.4.0 (29 versions)
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘IN…
- CVE-2024-45852HIGHCVSS 8.8EG 8.82024-09-12
vulnerable: 23.10.2.0 ... 26.1.0 (178 versions)
Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with.
- CVE-2024-45853HIGHCVSS 7.1EG 7.12024-09-12
vulnerable: 23.10.2.0 ... 26.1.0 (138 versions)
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction.
- CVE-2024-45854HIGHCVSS 7.1EG 7.12024-09-12
vulnerable: 23.10.3.0 ... 26.1.0 (137 versions)
Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it.
- CVE-2024-45855HIGHCVSS 7.1EG 7.12024-09-12
vulnerable: 23.10.2.0 ... 26.1.0 (138 versions)
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it.
- CVE-2024-45856CRITICALCVSS 9.0EG 9.02024-09-12
vulnerable: 0.6.5 ... 24.9.2.1 (484 versions)
A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScrip…
- CVE-2025-68472HIGHCVSS 8.1EG 8.1✓ Fixed in 25.11.12026-01-12
vulnerable: 0.6.5 ... 25.9.3rc1 (562 versions)
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move th…
- CVE-2026-2531MEDIUMCVSS 6.3EG 6.3✓ Fixed in 26.0.0rc12026-02-16
vulnerable: 0.6.5 ... 25.9.3rc1 (572 versions)
A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side requ…
- CVE-2026-7711HIGHCVSS 7.3EG 7.32026-05-04
vulnerable: 0.6.5 ... 26.0.1 (577 versions)
A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted…
Check whether mindsdb is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for mindsdb CVEs against the assets you own.
Start Free Scan →