CVE-2026-28438

Name of the Vulnerable Software and Affected Versions CocoIndex versions prior to 0.3.34

Description CocoIndex, a data transformation framework for AI, contains a flaw in the Doris target connector. Prior to version 0.3.34, the connector did not validate the configured table name before constructing SQL statements, specifically ALTER TABLE statements. This lack of validation allows for SQL injection when the target schema changes if the table name is supplied by an untrusted source. The vulnerable component is the Doris target connector. The table name is a vulnerable parameter.

Recommendations Versions prior to 0.3.34 should be updated to version 0.3.34 or later. Ensure table names used to configure CocoIndex targets are valid and come from a trusted source. If the table name originates from an untrusted source, validate it before using it to configure the Doris target for CocoIndex.