CVE-2026-27483

HIGH NUCLEI

MindsDB < 25.9.1.1 - Authenticated Path Traversal and Remote Command Execution via /api/files Upload

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2026-27483. PoCs published by thewhiteh4t, XiaomingX, XZ1r0. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a path traversal vulnerability in MindsDB versions prior to 25.9.1.1, leading to remote code execution (RCE) by uploading a malicious Python script via a crafted file upload request and triggering its execution through handler installation.

Description

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.9.1.1, there is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution. The vulnerability exists in the "Upload File" module, which corresponds to the API endpoint /api/files. Since the multipart file upload does not perform security checks on the uploaded file path, an attacker can perform path traversal by using `../` sequences in the filename field. The file write operation occurs before calling clear_filename and save_file, meaning there is no filtering of filenames or file types, allowing arbitrary content to be written to any path on the server. Version 25.9.1.1 patches the issue.

Exploits (4)

exploitdb WORKING POC

by thewhiteh4t · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52547

View Code ZIP pw:eip

This exploit demonstrates a path traversal vulnerability in MindsDB versions prior to 25.9.1.1, leading to remote code execution (RCE) by uploading a malicious Python script via a crafted file upload request and triggering its execution through handler installation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MindsDB < 25.9.1.1

Auth required

Prerequisites: network access to MindsDB API · valid credentials if authentication is enabled · listener setup for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 05, 2026 Full analysis →

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-27483

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-27483, a path traversal vulnerability in MindsDB <= 25.9.1.0 that allows remote code execution by overwriting Python's pip module with a reverse shell payload. The PoC supports both authenticated and unauthenticated modes and includes detailed usage instructions.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MindsDB <= 25.9.1.0

No auth needed

Prerequisites: Network access to MindsDB API · Python 3.x environment with requests and packaging libraries

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 07, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/cve-2026-27483

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-27483, a path traversal vulnerability in MindsDB that allows remote code execution by uploading a malicious file to a predictable path and triggering its execution. The PoC includes a Python script and a Nuclei template for detection and exploitation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MindsDB versions >= 25.4.1.0 and <= 25.9.1.0

Auth required

Prerequisites: Network access to MindsDB API · Valid credentials if authentication is enabled · Python 3.10 environment for the payload

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 21, 2026 Full analysis →

nomisec WORKING POC

by thewhiteh4t · poc

https://github.com/thewhiteh4t/cve-2026-27483

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-27483, a path traversal vulnerability in MindsDB <= 25.9.1.0 that leads to remote code execution. The PoC uploads a malicious Python file to a predictable path and triggers its execution via handler installation.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MindsDB <= 25.9.1.0

No auth needed

Prerequisites: Network access to MindsDB API · Python 3.10 environment (for the target) · Listener setup for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 06, 2026 Full analysis →

Nuclei Templates (1)

MindsDB - Remote Code Execution

HIGHVERIFIEDby thewhiteh4t

Shodan: http.title:"MindsDB"

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4894-xqv6-vrfq

Patch x_refsource_misc

https://github.com/mindsdb/mindsdb/commit/87a44bdb2b97f963e18f10a068e1a1e2690505ef

View Patch ZIP pw:eip

Release Notes x_refsource_misc

https://github.com/mindsdb/mindsdb/releases/tag/v25.9.1.1

Scores

CVSS v3 8.8

EPSS 0.1111

EPSS Percentile 95.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-22

Status published

Products (2)

mindsdb/mindsdb < 25.9.1.1

pypi/mindsdb 0 - 25.9.1.1PyPI

Published Feb 24, 2026

Tracked Since Feb 24, 2026