PT-2026-53998 · Pypi · Txtai
George Chen
·
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-58449
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
txtai versions prior to 9.10.1
Description
The software exposes an API endpoint '/reindex' where the
function body parameter is processed by txtai.util.Resolver. This resolver performs import and getattr on a dotted path provided by the user without using an allowlist. If the API is deployed without a TOKEN configured for authentication and the index is set to writable, a remote attacker can assign the function parameter to an arbitrary callable, such as subprocess.getoutput(), leading to remote code execution as the server process during the reindexing process.Recommendations
Update to the version containing commit 11b32da.
Restrict access to the '/reindex' API endpoint or configure a
TOKEN for authentication to prevent unauthorized access.
Set the index to read-only to prevent the exploitation of the writable index requirement.Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Txtai