CVE-2026-27483

Name of the Vulnerable Software and Affected Versions MindsDB versions prior to 25.9.1.1

Description MindsDB, a platform for building artificial intelligence from enterprise data, has a path traversal flaw in its /api/files interface. An authenticated attacker can exploit this to achieve remote command execution. The vulnerability resides in the "Upload File" module, specifically at the /api/files API endpoint. The system does not perform security checks on uploaded file paths, allowing attackers to use ../ sequences in the filename to perform path traversal. The file write operation occurs before filename filtering, enabling arbitrary content to be written to any location on the server. An attacker can overwrite existing executable files, potentially achieving Remote Code Execution (RCE) by overwriting files like /venv/lib/python3.10/site-packages/pip/ init .py and triggering their execution through other MindsDB functionality, such as handler installation.

Recommendations Upgrade to MindsDB version 25.9.1.1 or later to resolve this vulnerability.