CVE-2026-27483

CVE-2026-27483 is a path traversal vulnerability (CWE-22) in MindsDB, an open-source platform for building artificial intelligence applications from enterprise data. The flaw affects versions prior to 25.9.1.1 and exists in the /api/files endpoint, specifically the "Upload File" module. Multipart file uploads fail to perform security checks on the uploaded file path, allowing attackers to use ../ sequences in the filename field. File write operations occur before clear_filename and save_file functions are called, enabling unfiltered writes of arbitrary content to server paths. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with low privileges can exploit this issue remotely over the network with no user interaction required. By crafting a malicious file upload request with path traversal in the filename, the attacker can overwrite or create files in arbitrary locations on the server filesystem, such as executable scripts or configuration files. This capability leads to remote command execution, granting high-impact confidentiality, integrity, and availability compromises.

MindsDB patches the vulnerability in version 25.9.1.1, which security practitioners should apply immediately to affected deployments. Official mitigation details are documented in the GitHub security advisory (GHSA-4894-xqv6-vrfq), the release notes for v25.9.1.1, and the fixing commit (87a44bdb2b97f963e18f10a068e1a1e2690505ef).