CVE-2026-7711
Published: 04 May 2026
Summary
CVE-2026-7711 is a medium-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-7711 is a vulnerability in MindsDB versions up to 26.01, affecting the exec function within the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py in the Engine Handler component. The issue enables unrestricted file uploads through remote manipulation, as identified by CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
Remote attackers require no privileges or user interaction to exploit this vulnerability, allowing them to perform manipulations that result in unrestricted uploads. Successful exploitation grants low-level impacts on confidentiality, integrity, and availability, with a publicly available exploit detailed in a GitHub repository, potentially enabling further attacks such as remote code execution.
Advisories from VulDB and the referenced GitHub proof-of-concept highlight the issue but note no vendor response despite early disclosure contact. No patches or official mitigations are mentioned, leaving affected systems reliant on workarounds like restricting network access to the Engine Handler or upgrading beyond version 26.01 if available.
The exploit's public availability increases the risk of real-world attacks, particularly in environments using MindsDB for data and ML integrations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26852
Vulnerability details
A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit…
more
has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted remote file upload in public-facing MindsDB Engine Handler directly enables T1190 exploitation for initial access; the upload mechanism facilitates T1105 Ingress Tool Transfer of malicious files; exec function in Python proc_wrapper enables T1059.006 arbitrary code execution leading to RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to the exec function, directly mitigating the improper access control enabling unrestricted remote file uploads.
Validates inputs to the Engine Handler's exec function, preventing manipulation leading to uploads of dangerous file types.
Restricts the types and volume of inputs allowed to the vulnerable proc_wrapper.py exec function, blocking unrestricted uploads.