CVE-2026-4229
Published: 16 March 2026
Summary
CVE-2026-4229 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates SQL injection by requiring validation and sanitization of the ID argument in the remove_training_data function before use in BigQuery SQL queries.
Requires timely remediation of the known SQL injection flaw in vanna-ai versions up to 2.0.2 through patching or upgrading.
Enables vulnerability scanning to identify the SQL injection vulnerability in the affected vanna-ai library during monitoring.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely accessible function (remove_training_data) directly provides an unauthenticated network exploitation vector against a public-facing application or service using the Vanna AI BigQuery integration, matching T1190.
NVD Description
A flaw has been found in vanna-ai vanna up to 2.0.2. This impacts the function remove_training_data of the file src/vanna/legacy/google/bigquery_vector.py. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published…
more
and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-4229 is a SQL injection vulnerability affecting Vanna AI (vanna) versions up to 2.0.2. The flaw resides in the `remove_training_data` function within the file `src/vanna/legacy/google/bigquery_vector.py`, where manipulation of the `ID` argument enables injection. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWEs 74 (Improper Neutralization of Special Elements used in an SQL Command) and 89 (SQL Injection).
The vulnerability is remotely exploitable by unauthenticated attackers with network access and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption within the affected BigQuery vector operations.
Advisories from VulDB (e.g., ctiid.351152, id.351152) document the issue, note the published exploit on GitHub Gist, and indicate that the vendor was contacted early but provided no response or patch. Practitioners should upgrade to versions beyond 2.0.2 if available or review and sanitize inputs to the affected function.
Notably, an exploit is publicly available, increasing the risk of active use. Vanna AI's integration with BigQuery vectors suggests relevance to AI/ML workflows involving training data management and SQL generation.
Details
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai