Description
A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-03
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the exec function of proc_wrapper.py in MindsDB’s Engine Handler, allowing an attacker to upload any file type without restriction. This weakness can be triggered remotely, enabling the delivery of potentially malicious payloads that the system may later execute or use to compromise stability and confidentiality.

Affected Systems

All MindsDB installations up to and including version 26.01 are affected. No vendor patch has been publicly released yet; the issue remains in the Engine Handler component that handles BYOM requests.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the vulnerability is not listed in the CISA KEV catalog. No EPSS value is available, but the presence of a publicly available exploit and the ability to launch the attack remotely raise the risk profile. Attackers could exploit the unrestricted upload to introduce executable files, potentially leading to remote code execution or other abuse of system privileges.

Generated by OpenCVE AI on May 4, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MindsDB to a version newer than 26.01 that fixes the exec function flaw.
  • Implement a strict whitelist for uploadable file types, validating MIME types and extensions to prevent dangerous content.
  • Enable detailed logging of upload activity and temporarily disable or restrict the exec endpoint until a vendor fix is available.

Generated by OpenCVE AI on May 4, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 00:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title MindsDB Engine proc_wrapper.py exec unrestricted upload
First Time appeared Mindsdb
Mindsdb mindsdb
Weaknesses CWE-284
CWE-434
CPEs cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*
Vendors & Products Mindsdb
Mindsdb mindsdb
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Mindsdb Mindsdb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T23:30:25.535Z

Reserved: 2026-05-03T07:43:04.285Z

Link: CVE-2026-7711

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T00:16:39.817

Modified: 2026-05-04T00:16:39.817

Link: CVE-2026-7711

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T02:00:06Z

Weaknesses