| tiêu đề | https://github.com/mindsdb/mindsdb <=26.01 Remote Code Execution |
|---|
| Mô tả | MindsDB is an open-source AI SQL Server that allows developers to train and deploy machine learning models through a SQL interface. Its BYOM (Bring Your Own Model) feature allows users to upload custom Python model code.
This report analyzes the Pickle deserialization remote code execution vulnerability in MindsDB BYOM Handler. The vulnerability allows attackers to upload malicious model code, inject objects with malicious __reduce__() methods during the model training phase, and trigger arbitrary code execution through pickle.loads() during the model prediction phase. |
|---|
| Nguồn | ⚠️ https://github.com/nn0nkey/JD-Security-SHENYI-Team/blob/main/MindsDB_Pickle_RCE.md |
|---|
| Người dùng | JD Security SHENYI Team (UID 97436) |
|---|
| Đệ trình | 17/04/2026 06:34 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 03/05/2026 09:43 (16 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 360888 [MindsDB đến 26.01 Pickle pickle.loads nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|