CVE-2026-7712

MEDIUM

MindsDB Pickle pickle.loads deserialization

Title source: cna

Description

A security vulnerability has been detected in MindsDB up to 26.01. Affected is the function pickle.loads of the component Pickle Handler. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-360888 | MindsDB Pickle pickle.loads deserialization

https://vuldb.com/vuln/360888

Signature, Permissions Required signature permissions-required

VDB-360888 | CTI Indicators (IOB, IOC, IOA)

https://vuldb.com/vuln/360888/cti

Third Party Advisory third-party-advisory

Submit #806827 | https://github.com/mindsdb/mindsdb <=26.01 Remote Code Execution

https://vuldb.com/submit/806827

Exploit exploit

https://github.com/nn0nkey/JD-Security-SHENYI-Team/blob/main/MindsDB_Pickle_RCE.md

View Exploit ZIP pw:eip

Scores

CVSS v3 6.3

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-20 CWE-502

Status published

Products (1)

None/MindsDB 26.01

Published May 04, 2026

Tracked Since May 04, 2026