CVE-2026-4231
Published: 16 March 2026
Summary
CVE-2026-4231 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of inputs to the vulnerable update_sql/run_sql functions in the Flask endpoint to block SSRF payloads containing malicious URLs or destinations.
Monitors and controls outbound communications at system boundaries to prevent the server from forging requests to arbitrary internal or external services via the SSRF vulnerability.
Enforces information flow control policies to restrict server-initiated requests from the vulnerable endpoint to unauthorized destinations, mitigating SSRF exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in unauthenticated public-facing Flask endpoint (update_sql/run_sql) directly enables T1190 exploitation for initial access; the ability to coerce server requests to arbitrary internal destinations also facilitates T1046 Network Service Discovery.
NVD Description
A vulnerability was found in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is the function update_sql/run_sql of the file src/vanna/legacy/flask/__init__.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack may be initiated remotely.…
more
The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-4231 is a server-side request forgery (SSRF) vulnerability affecting vanna-ai vanna versions up to 2.0.2. The issue resides in the update_sql/run_sql functions within the file src/vanna/legacy/flask/__init__.py, part of the Endpoint component. It enables remote manipulation leading to SSRF, as classified under CWE-918, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to forge requests from the server to arbitrary destinations, such as internal services or external resources.
Advisories from VulDB note that the vendor was contacted early for disclosure but provided no response, and no patches or mitigations are mentioned. An exploit proof-of-concept is publicly available via a GitHub Gist, increasing the risk of active exploitation.
Vanna-ai is an AI-driven framework for SQL query generation, making this SSRF flaw relevant to AI/ML deployments relying on its legacy Flask endpoints. The public exploit and lack of vendor engagement suggest potential for real-world abuse in exposed instances.
Details
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai