SAI Security Advisory

Eval on query parameters allows arbitrary code execution in Weaviate integration

September 12, 2024

Products Impacted

This vulnerability is present in MindsDB versions v23.10.3.0 up to v24.7.4.1.

CVSS Score: 8.8

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE Categorization

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Details

To exploit this, an attacker must be authenticated to a MindsDB instance that has the Weaviate integration installed. The vulnerability can be exploited if an embedding vector filter is present because the argument for the embeddings column in a ‘SELECT WHERE’ clause is passed to an eval statement in the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file (shown below – edited to only include the relevant sections).

def select(
        self,
        table_name: str,
        columns: List[str] = None,
        conditions: List[FilterCondition] = None,
        offset: int = None,
        limit: int = None,
    ) -> HandlerResponse:

...

        # check if embedding vector filter is present
        vector_filter = (
            None
            if not conditions
            else [
                condition
                for condition in conditions
                if condition.column == TableField.SEARCH_VECTOR.value
                or condition.column == TableField.EMBEDDINGS.value
            ]
        )

...

        if vector_filter:
            # similarity search
            # assuming the similarity search is on content
            # assuming there would be only one vector based search per query
            vector_filter = vector_filter[0]
            near_vector = {
                "vector": eval(vector_filter.value)
                if isinstance(vector_filter.value, str)
                else vector_filter.value
            }
            query = query.with_near_vector(near_vector)

The eval function appears to be used for parsing valid Python data types from arbitrary user input but has the side effect of enabling arbitrary code execution because Python code can be passed to it via the method explained above.

Related SAI Security Advisory

CVE-2026-45833

June 12, 2026

Post-Authentication RCE via update_collection

ChromaDB

Any authenticated user with UPDATE_COLLECTION permission can achieve remote code execution by updating a collection's embedding function to reference a malicious HuggingFace model with trust_remote_code: true. The update_collection endpoint uses the same build_from_config() code path as CVE-2026-45829. Authentication runs before model loading, so this is not a pre-authentication issue, but the model instantiation itself is unguarded.

June 2026
CVE-2026-45832

June 12, 2026

V1 API Tenant Isolation Bypass via Null Tenant/Database Context

ChromaDB

All V1 collection-level endpoints pass None for tenant and database to the authorization layer, making tenant-scoped access control impossible through V1, regardless of which authorization provider is configured. V1 cannot be disabled. Combined with CVE-2026-45830, any authenticated user has unrestricted read/write access to any collection by UUID through V1 endpoints.

June 2026