PT-2026-53998 · Pypi · Txtai

George Chen

·

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-58449

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions txtai versions prior to 9.10.1
Description The software exposes an API endpoint '/reindex' where the function body parameter is processed by txtai.util.Resolver. This resolver performs import and getattr on a dotted path provided by the user without using an allowlist. If the API is deployed without a TOKEN configured for authentication and the index is set to writable, a remote attacker can assign the function parameter to an arbitrary callable, such as subprocess.getoutput(), leading to remote code execution as the server process during the reindexing process.
Recommendations Update to the version containing commit 11b32da. Restrict access to the '/reindex' API endpoint or configure a TOKEN for authentication to prevent unauthorized access. Set the index to read-only to prevent the exploitation of the writable index requirement.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58449

Affected Products

Txtai