Submit #771215: vanna-ai Vanna 2.0.2 SQL Injection (CWE-89)info

Titlevanna-ai Vanna 2.0.2 SQL Injection (CWE-89)
Description# Technical Details A Direct SQL Injection vulnerability exists in the `update_sql` and `run_sql` endpoints in `src/vanna/legacy/flask/__init__.py` of Vanna. The `/api/v0/update_sql` endpoint accepts arbitrary SQL from the request body and stores it in the shared cache with zero validation. An attacker then calls `/api/v0/run_sql` with the same cache ID, which reads the cached SQL and executes it directly against the connected database — completely bypassing the `is_sql_valid()` check that only exists in the `generate_sql` endpoint. # Vulnerable Code File: src/vanna/legacy/flask/__init__.py (line 604-648) Method: update_sql endpoint Why: The endpoint stores attacker-supplied SQL in the cache without any validation: `self.cache.set(id=id, field="sql", value=sql)`. The `run_sql` endpoint (line 499-552) then executes this cached SQL via `vn.run_sql(sql=sql)` with zero re-validation. The `is_sql_valid()` check only exists in `generate_sql`, not in `update_sql`. # Reproduction 1. Start Vanna server with any database backend (default NoAuth configuration) 2. Get a valid cache ID: curl 'http://127.0.0.1:8084/api/v0/generate_sql?question=how+many+customers' 3. Overwrite cached SQL: curl -X POST 'http://127.0.0.1:8084/api/v0/update_sql' -H 'Content-Type: application/json' -d '{"id":"<cache_id>","sql":"SELECT service_name, api_key, secret_key FROM api_credentials"}' 4. Execute injected SQL: curl 'http://127.0.0.1:8084/api/v0/run_sql?id=<cache_id>' — returns stolen credentials # Impact - Arbitrary SQL execution on any connected database (all backends) - Data exfiltration (SELECT from any table including credentials) - Data destruction (DROP TABLE, DELETE, TRUNCATE) - On PostgreSQL: file read via pg_read_file(), RCE via COPY TO PROGRAM - On MSSQL: RCE via EXEC xp_cmdshell - 100% deterministic — no LLM manipulation needed, only 2 HTTP requests
Source⚠️ https://gist.github.com/YLChen-007/48b86c2365e5ebf6923d5f14491b4329
User
 Eric-y (UID 95889)
Submission03/04/2026 08:49 (2 months ago)
Moderation03/15/2026 19:45 (11 days later)
StatusAccepted
VulDB entry351153 [vanna-ai vanna up to 2.0.2 Endpoint __init__.py update_sql sql injection]
Points20

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!