CVE-2026-4229
Awaiting Analysis Awaiting Analysis - Queue
SQL Injection in vanna-ai remove_training_data Enables Remote Exploit

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in vanna-ai vanna up to 2.0.2. This impacts the function remove_training_data of the file src/vanna/legacy/google/bigquery_vector.py. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-03-16
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4229
EUVD
EUVD-2026-12373
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vanna-ai vanna to 2.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-4229 is a SQL Injection vulnerability found in the Vanna AI platform version 2.0.2 and earlier, specifically in the BigQuery vector store backend implementation. The flaw exists in the remove_training_data method, which constructs a SQL DELETE statement by directly embedding user-supplied input (the id parameter) into the query string using Python f-string interpolation without any sanitization or parameterization.'}, {'type': 'paragraph', 'content': 'This improper handling allows an attacker to inject arbitrary SQL code via the id parameter. For example, by sending a specially crafted id value such as "\' OR \'1\'=\'1", the attacker can manipulate the SQL query to delete all records in the training data table, causing mass data deletion.'}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely without authentication due to the default permissive NoAuth configuration, making it easy for unauthenticated attackers to trigger this flaw.'}] [1, 2, 3]


How can this vulnerability impact me? :

This vulnerability can have several serious impacts:

  • Mass deletion of all training data, resulting in denial of service for the AI assistant.
  • Selective deletion of specific categories of training data, which can degrade the quality and performance of AI models.
  • Potential data exfiltration through error-based or blind SQL injection techniques.
  • Possible unauthorized access or modification of other tables within the same BigQuery dataset due to broad client permissions.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/api/v0/remove_training_data` that include SQL injection payloads in the `id` parameter.'}, {'type': 'paragraph', 'content': 'For example, an attacker might send a JSON body like `{"id": "\' OR \'1\'=\'1"}` which triggers a SQL injection.'}, {'type': 'paragraph', 'content': 'You can detect attempts by capturing and inspecting HTTP traffic or logs for such requests.'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., Wireshark, tcpdump) to filter HTTP POST requests to `/api/v0/remove_training_data`.'}, {'type': 'list_item', 'content': "Search application logs or web server logs for POST requests containing suspicious `id` values such as `' OR '1'='1` or other SQL injection patterns."}, {'type': 'list_item', 'content': 'Example command to search logs for suspicious payloads: `grep -i "id.*\' OR \'1\'=\'1" /var/log/app.log`'}, {'type': 'list_item', 'content': 'If you have access to the system, you can test the vulnerability by sending a crafted POST request using curl: `curl -X POST -H "Content-Type: application/json" -d \'{"id": "\' OR \'1\'=\'1"}\' http://<target>/api/v0/remove_training_data`'}] [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting or disabling access to the vulnerable `/api/v0/remove_training_data` endpoint to prevent exploitation.

Since the vulnerability arises from unsafe string interpolation without parameterization, avoid using the affected version of Vanna AI (≀ 2.0.2) or replace the vulnerable component with a secure alternative.

Implement network-level controls such as firewall rules or API gateways to block unauthorized or suspicious requests to the vulnerable endpoint.

If possible, add input validation and sanitization on the `id` parameter to prevent SQL injection.

Enable authentication mechanisms instead of using the default `NoAuth` configuration to restrict access.

Monitor logs for exploitation attempts and respond accordingly.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart