Cyber Resilience

CVE-2026-4231

Medium

Published: 16 March 2026

Published
16 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 18.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4231 is a medium-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-4231 is a server-side request forgery (SSRF) vulnerability affecting vanna-ai vanna versions up to 2.0.2. The issue resides in the update_sql/run_sql functions within the file src/vanna/legacy/flask/__init__.py, part of the Endpoint component. It enables remote manipulation leading to SSRF, as classified under CWE-918, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to forge requests from the server to arbitrary destinations, such as internal services or external resources.

Advisories from VulDB note that the vendor was contacted early for disclosure but provided no response, and no patches or mitigations are mentioned. An exploit proof-of-concept is publicly available via a GitHub Gist, increasing the risk of active exploitation.

Vanna-ai is an AI-driven framework for SQL query generation, making this SSRF flaw relevant to AI/ML deployments relying on its legacy Flask endpoints. The public exploit and lack of vendor engagement suggest potential for real-world abuse in exposed instances.

EU & UK References

Vulnerability details

A vulnerability was found in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is the function update_sql/run_sql of the file src/vanna/legacy/flask/__init__.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack may be initiated remotely.…

more

The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in unauthenticated public-facing Flask endpoint (update_sql/run_sql) directly enables T1190 exploitation for initial access; the ability to coerce server requests to arbitrary internal destinations also facilitates T1046 Network Service Discovery.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28451Shared CWE-918
CVE-2026-34576Shared CWE-918
CVE-2026-30247Shared CWE-918
CVE-2026-27488Shared CWE-918
CVE-2026-41271Shared CWE-918
CVE-2026-24779Shared CWE-918
CVE-2026-22664Shared CWE-918
CVE-2024-13924Shared CWE-918
CVE-2026-42860Shared CWE-918
CVE-2025-25785Shared CWE-918

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of inputs to the vulnerable update_sql/run_sql functions in the Flask endpoint to block SSRF payloads containing malicious URLs or destinations.

prevent

Monitors and controls outbound communications at system boundaries to prevent the server from forging requests to arbitrary internal or external services via the SSRF vulnerability.

prevent

Enforces information flow control policies to restrict server-initiated requests from the vulnerable endpoint to unauthorized destinations, mitigating SSRF exploitation.

References