DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27483: Lobotomy by File Upload: RCE in MindsDB via Path Traversal

#security #cve #cybersecurity

Lobotomy by File Upload: RCE in MindsDB via Path Traversal

Vulnerability ID: CVE-2026-27483
CVSS Score: 8.8
Published: 2026-02-24

A critical path traversal vulnerability in MindsDB allows authenticated attackers to break out of the upload sandbox and overwrite arbitrary system files. By manipulating the 'Content-Disposition' header during file uploads, an attacker can replace core Python libraries with malicious code, leading to Remote Code Execution (RCE) when the application subsequently attempts to use those libraries. The flaw stems from an unsafe configuration of the 'python-multipart' library.

TL;DR

MindsDB trusted user-supplied filenames in its upload handler. Attackers can use directory traversal ('../') to overwrite files anywhere on the server. Overwriting a common library like 'pip' and triggering an install process grants full RCE.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-22 (Path Traversal)
  • CVSS: 8.8 (Critical)
  • Attack Vector: Network (Authenticated)
  • Impact: Remote Code Execution (RCE)
  • Library: python-multipart
  • Fix Commit: 87a44bd

Affected Systems

  • MindsDB < 25.9.1.1
  • MindsDB: < 25.9.1.1 (Fixed in: 25.9.1.1)

Code Analysis

Commit: 87a44bd

Fix path traversal in file upload by disabling UPLOAD_KEEP_FILENAME and validating path

-            data["file"] = file.file_name.decode()
+            file_name = file.file_name.decode()
+            data["file"] = file_name
+            if Path(file_name).name != file_name:
+                raise ValueError(f"Wrong file name: {file_name}")
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Theoretical: Exploit involves uploading a file named with traversal characters to overwrite python libraries, then triggering their execution.

Mitigation Strategies

  • Input Sanitization
  • Library Configuration Hardening
  • Dependency Updates

Remediation Steps:

  1. Upgrade MindsDB to version 25.9.1.1 or later.
  2. Verify that the python-multipart library is updated to version 0.0.20+.
  3. Audit the filesystem for unexpected changes to Python library files (e.g., pip, requests).
  4. Review logs for POST requests to /api/files containing traversal characters.

References

Read the full report for CVE-2026-27483 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)