Description
CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creating some SQL statements (ALTER TABLE). So, in the application code, if the table name is provided by an untrusted upstream, it expose vulnerability to SQL injection when target schema change. This issue has been patched in version 0.3.34.
Published: 2026-03-06
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing unauthorized database schema changes
Action: Patch immediately
AI Analysis

Impact

CocoIndex's Doris target connector constructs "ALTER TABLE" statements without validating the table name supplied by upstream sources. The SQL injection flaw can give an attacker the ability to alter database tables, create or drop columns, and potentially modify data or schemata, compromising both data integrity and confidentiality. The weakness is a classic input validation flaw (CWE‑89).

Affected Systems

The vulnerability affects CocoIndex deployments running any version earlier than 0.3.34, regardless of installation environment. All products listed under the CocoIndex brand using the Doris connector are impacted.

Risk and Exploitability

Based on the description, it is inferred that exploiting this flaw would require an attacker to supply a malicious table name through an untrusted upstream source that feeds into the Doris connector. The vulnerability then allows the attacker to manipulate ALTER TABLE statements, potentially adding, dropping, or modifying columns and thereby altering the database schema. The CVSS score of 6.9 indicates moderate severity, and the EPSS score of less than 1% signals a low likelihood of exploitation in the wild; the vulnerability is not listed in CISA’s KEV catalog. If this ability is achieved, the attacker could compromise data integrity and confidentiality by changing or destroying schema definitions.

Generated by OpenCVE AI on April 17, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update CocoIndex to version 0.3.34 or later, which implements proper table name validation.
  • Review and sanitize any upstream data feeding table names into the Doris connector; enforce a whitelist of allowed identifiers.
  • Configure access controls to restrict who can supply table name inputs, ensuring only trusted systems can influence schema‑changing operations.

Generated by OpenCVE AI on April 17, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-59g6-v3vg-f7wc CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements
History

Tue, 10 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Cocoindex
Cocoindex cocoindex
CPEs cpe:2.3:a:cocoindex:cocoindex:*:*:*:*:*:*:*:*
Vendors & Products Cocoindex
Cocoindex cocoindex
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Cocoindex-io
Cocoindex-io cocoindex
Vendors & Products Cocoindex-io
Cocoindex-io cocoindex

Fri, 06 Mar 2026 07:00:00 +0000

Type Values Removed Values Added
Description CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creating some SQL statements (ALTER TABLE). So, in the application code, if the table name is provided by an untrusted upstream, it expose vulnerability to SQL injection when target schema change. This issue has been patched in version 0.3.34.
Title CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cocoindex Cocoindex
Cocoindex-io Cocoindex
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:06:07.600Z

Reserved: 2026-02-27T15:54:05.139Z

Link: CVE-2026-28438

cve-icon Vulnrichment

Updated: 2026-03-06T16:00:08.876Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T07:15:58.770

Modified: 2026-03-10T19:47:34.033

Link: CVE-2026-28438

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses