Description
agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the delete_by_metadata() method. Attackers can exploit the unsafe f-string interpolation in clickhousedb.py to delete all rows, target specific rows, or extract information through error-based or blind SQL injection techniques.
Published: 2026-05-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a SQL injection flaw in agno 2.6.5’s ClickHouse backend, where malicious metadata keys and values supplied to delete_by_metadata() are interpolated directly into SQL statements via an f‑string in clickhousedb.py. The flaw permits attackers to execute arbitrary SQL expressions, allowing them to delete every row, target specific rows, or glean database contents with error‑based or blind techniques. This is a CWE‑89 weakness that compromises confidentiality, integrity, and availability of the stored data.

Affected Systems

Only the agno product from the agno‑agi vendor is known to be affected, specifically version 2.6.5. No other versions or related products are listed. If a system is running agno 2.6.5 and uses the ClickHouse vector database backend, it is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. EPSS data is not available, and the issue is not in CISA’s KEV catalog. The likely attack vector is through any interface that calls delete_by_metadata(), which can be invoked by users with privileges to submit metadata. An attacker who can supply the malicious payload can delete entire tables or exfiltrate sensitive data, making this an urgent risk for environments where agno’s ClickHouse integration is exposed to untrusted input.

Generated by OpenCVE AI on May 29, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official fix by upgrading agno to the latest release that includes the passing of sanitized parameters in delete_by_metadata(), as referenced in pull request 7883.
  • If an upgrade is not immediately possible, enforce strict input validation on metadata keys and values: accept only alphanumeric strings and disallow characters that could break the query, or use prepared statements to prevent interpolation.
  • Restrict database‑level privileges so that the ClickHouse user only has permissions necessary for the application and monitor logs for anomalous delete commands.

Generated by OpenCVE AI on May 29, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Agno-agi
Agno-agi agno
Vendors & Products Agno-agi
Agno-agi agno

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the delete_by_metadata() method. Attackers can exploit the unsafe f-string interpolation in clickhousedb.py to delete all rows, target specific rows, or extract information through error-based or blind SQL injection techniques.
Title agno 2.6.5 SQL Injection via ClickHouse delete_by_metadata()
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Agno-agi Agno
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T16:18:59.425Z

Reserved: 2026-05-29T16:02:26.062Z

Link: CVE-2026-10105

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-29T18:16:31.003

Modified: 2026-05-29T18:16:31.003

Link: CVE-2026-10105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:30:05Z

Weaknesses