Description
txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolver, which performs __import__ and getattr on the caller-supplied dotted path with no allowlist. When the API is exposed with no TOKEN configured (authentication is opt-in, so all endpoints are unauthenticated) and the index is configured writable, a remote attacker can set function to an arbitrary callable such as subprocess.getoutput, achieving remote code execution as the server process during reindexing. Exploitation requires those deployment conditions (API exposed, no TOKEN, writable index); it is not the default configuration. The fix gates the endpoint behind a new reindex configuration flag.
Published: 2026-06-30
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A taint-agnostic "unsafe reflection" flaw allows an unauthenticated caller to provide a dotted path that is resolved using __import__ and getattr, enabling the execution of arbitrary server-side code inside the /reindex API. The code can invoke any callable, including subprocess.getoutput, which results in full remote code execution and critical compromise of the host system. This constitutes a CWE‑94 vulnerability.

Affected Systems

txtai versions up to and including 9.10.0 are affected. The flaw is exercised only when the /reindex endpoint is reachable without any authentication token and the configured index is writable. In deployments where a TOKEN is required or the index is read‑only, the vulnerability does not apply. The patch is delivered in commit 11b32da, which limits the endpoint to a new reindex configuration flag.

Risk and Exploitability

The CVSS score of 9.3 classifies this as a critical flaw. No EPSS score is currently provided, and the item is not listed in the CISA KEV catalog, but the conditions for exploitation are clear and straightforward for an attacker who has network access to the service. Exploitation requires only correctly configuring the vulnerable parameters; no special privileges or additional vectors are needed beyond connectivity to the unprotected endpoint. The remediation commit already mitigates the risk by gating the endpoint behind a configuration flag.

Generated by OpenCVE AI on June 30, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade txtai to a version newer than 9.10.0 or apply the security patch from commit 11b32da
  • Configure a TOKEN to enable authentication and protect the /reindex endpoint
  • Set the index to read‑only or disable the writable index capability to prevent reindexing via the vulnerable API
  • If immediate upgrade is not possible, block external access to the /reindex endpoint using a reverse proxy or firewall rule

Generated by OpenCVE AI on June 30, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolver, which performs __import__ and getattr on the caller-supplied dotted path with no allowlist. When the API is exposed with no TOKEN configured (authentication is opt-in, so all endpoints are unauthenticated) and the index is configured writable, a remote attacker can set function to an arbitrary callable such as subprocess.getoutput, achieving remote code execution as the server process during reindexing. Exploitation requires those deployment conditions (API exposed, no TOKEN, writable index); it is not the default configuration. The fix gates the endpoint behind a new reindex configuration flag.
Title txtai - Unauthenticated Remote Code Execution via Unsafe Reflection in API /reindex function Parameter
First Time appeared Neuml
Neuml txtai
Weaknesses CWE-94
CPEs cpe:2.3:a:neuml:txtai:*:*:*:*:*:*:*:*
Vendors & Products Neuml
Neuml txtai
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Neuml Txtai
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T21:06:47.254Z

Reserved: 2026-06-30T19:09:07.025Z

Link: CVE-2026-58449

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T22:30:06Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')