Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.1
MindsDB's File Upload Function Allows Remote Attackers to Forge Requests
CVE-2026-2531
GHSA-6xw9-2p64-7622
Summary
MindsDB's file upload feature has a security flaw that could let attackers trick the server into making unintended requests. This could happen remotely, without needing direct access to the server. Update to the latest version (25.14.2 or higher) to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | mindsdb | <= 25.14.1 | – |
| mindsdb | mindsdb | <= 25.14.1 | – |
Original title
MindsDB affected by a SSRF vulnerability
Original description
A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
nvd CVSS2.0
6.5
nvd CVSS3.1
7.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
- https://github.com/mindsdb/mindsdb/ Product
- https://github.com/mindsdb/mindsdb/issues/12163 Exploit Issue Tracking Third Party Advisory
- https://github.com/mindsdb/mindsdb/pull/12213 Issue Tracking Patch
- https://github.com/themavik/mindsdb/commit/74d6f0fd4b630218519a700fbee1c05c7fd4b... Patch
- https://vuldb.com/?ctiid.346119 Permissions Required VDB Entry
- https://vuldb.com/?id.346119 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.748219 Third Party Advisory VDB Entry
- https://nvd.nist.gov/vuln/detail/CVE-2026-2531
- https://github.com/advisories/GHSA-6xw9-2p64-7622
Published: 16 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026