Description
A missing authentication check on the Aix‑DB "/llm/process_llm_out" endpoint allows unauthenticated clients to execute arbitrary "SELECT" SQL queries and retrieve database data, as the endpoint lacks the token validation enforced on all other application endpoints.
All releases up to 1.2.4 are considered vulnerable. Status of next releases is unknown as the vulnerability has not been addressed by any patch.
Published: 2026-06-10
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authentication check on the Aix-DB /llm/process_llm_out endpoint allows unauthenticated clients to execute arbitrary SELECT SQL queries and retrieve database data. The endpoint does not enforce the token validation present on all other application endpoints, leading to potential data disclosure. This weakness is classified as CWE-306.

Affected Systems

Affected systems include the Aix-DB application from the vendor Aix-DB. All releases up to version 1.2.4 are vulnerable. No patch has yet been released for subsequent versions, so the status of newer releases remains unknown.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity risk. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The lack of authentication means the attack can be performed by any external client with network access to the endpoint, making exploitation highly reachable and straightforward. The impact includes potential confidentiality breach via arbitrary data extraction.

Generated by OpenCVE AI on June 10, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Aix-DB to a version that includes the authentication check for the /llm/process_llm_out endpoint once a patch is released.
  • If an upgrade is not yet possible, restrict network access to the /llm/process_llm_out endpoint using firewall rules or network segmentation to limit exposure to trusted hosts only.
  • Implement application‑level validation to enforce authentication on the endpoint, ensuring that only requests carrying a valid token are processed.
  • Monitor logs for unauthorized SELECT statement attempts to detect potential exploitation.

Generated by OpenCVE AI on June 10, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description A missing authentication check on the Aix‑DB "/llm/process_llm_out" endpoint allows unauthenticated clients to execute arbitrary "SELECT" SQL queries and retrieve database data, as the endpoint lacks the token validation enforced on all other application endpoints. All releases up to 1.2.4 are considered vulnerable. Status of next releases is unknown as the vulnerability has not been addressed by any patch.
Title Missing authentication in Aix-DB
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-10T16:05:36.144Z

Reserved: 2026-05-11T15:30:18.104Z

Link: CVE-2026-8335

cve-icon Vulnrichment

Updated: 2026-06-10T16:05:32.836Z

cve-icon NVD

Status : Received

Published: 2026-06-10T15:16:42.803

Modified: 2026-06-10T15:16:42.803

Link: CVE-2026-8335

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T16:00:07Z

Weaknesses