CVE-2026-28438
published 2026-03-06CVE-2026-28438: CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.28%
19.9th percentile
CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creating some SQL statements (ALTER TABLE). So, in the application code, if the table name is provided by an untrusted upstream, it expose vulnerability to SQL injection when target schema change. This issue has been patched in version 0.3.34.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cocoindex-io | cocoindex | < 0.3.34 | 0.3.34 |
| cocoindex | cocoindex | < 0.3.34 | 0.3.34 |
| cocoindex | cocoindex | >= 0 < 0.3.34 | 0.3.34 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements
osv·2026-03-02
CVE-2026-28438 [HIGH] CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements
CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements
### Impact
The Doris target connector didn't verify the configured table name before creating some SQL statements (`ALTER TABLE`). So, in the application code, if the table name is provided by an untrusted upstream, it expose vulnerability to SQL injection when target schema change.
### Patches
Yes, it's fixed in cocoindex 0.3.34: we start to validate table names passed to Doris target at entry point and error out immediately if it's not a valid identifier.
### Workarounds
Users should make sure table names used to configure CocoIndex targets are valid, regardless of this fix. Which means
- The table name comes from a trusted source (e.g. for most cases it's just a fixed string literal).
GHSA
CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements
ghsa·2026-03-02
CVE-2026-28438 [HIGH] CWE-89 CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements
CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements
### Impact
The Doris target connector didn't verify the configured table name before creating some SQL statements (`ALTER TABLE`). So, in the application code, if the table name is provided by an untrusted upstream, it expose vulnerability to SQL injection when target schema change.
### Patches
Yes, it's fixed in cocoindex 0.3.34: we start to validate table names passed to Doris target at entry point and error out immediately if it's not a valid identifier.
### Workarounds
Users should make sure table names used to configure CocoIndex targets are valid, regardless of this fix. Which means
- The table name comes from a trusted source (e.g. for most cases it's just a fixed string literal).
No detection rules found.
No public exploits indexed.
2026-03-06
Published