Description
A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-25
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Improper Authorization
Action: Apply Patch
AI Analysis

Impact

The vulnerability is located in a legacy Flask API component of the vanna package. An attacker can manipulate requests to a function that lacks proper authorization checks, allowing them to invoke privileged actions. The vulnerability can be exploited remotely, and the exploit has already been publicly disclosed, meaning an attacker could potentially gain unauthorized access to resources or functionality that should be protected.

Affected Systems

Vendor vanna-ai’s vanna product, versions through 2.0.2, is affected. Users running these versions should review their deployment to confirm the presence of the legacy API endpoint.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity for this improper authorization flaw. An EPSS score of less than 1% suggests a low probability of current exploitation, but the flaw is listed as not being part of the CISA KEV catalog. The attack vector is remote, relying on the ability to send crafted HTTP requests to the exposed legacy endpoint. The flaw could result in unauthorized access, potentially leading to confidentiality or integrity compromise.

Generated by OpenCVE AI on April 28, 2026 at 05:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vanna to the latest version, which removes or secures the legacy Flask API endpoints.
  • If an upgrade is not immediately possible, disable the legacy Flask API routes or block access to them via web server configuration or firewall rules.
  • Implement network‑level authentication or IP whitelisting for the API to limit exposure.
  • Enable comprehensive logging for the API and monitor for unauthorized access attempts.

Generated by OpenCVE AI on April 28, 2026 at 05:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Vanna-ai
Vanna-ai vanna
Vendors & Products Vanna-ai
Vanna-ai vanna

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title vanna-ai vanna Legacy Flask API improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Vanna-ai Vanna
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:34:28.591Z

Reserved: 2026-04-24T18:50:10.544Z

Link: CVE-2026-6977

cve-icon Vulnrichment

Updated: 2026-04-27T13:12:53.073Z

cve-icon NVD

Status : Deferred

Published: 2026-04-25T11:16:19.103

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6977

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:45:23Z

Weaknesses