Compliance Impact

The vulnerability allows unauthenticated access to critical API endpoints, enabling attackers to execute arbitrary natural language queries against connected databases without any authentication or access control.

This lack of authentication and access control can lead to unauthorized data access, absence of audit trails, and inability to attribute queries to specific users, which are significant compliance issues under standards like GDPR and HIPAA that require strict access controls, user authentication, and auditability.

Therefore, this vulnerability negatively impacts compliance with common data protection regulations by exposing sensitive data to unauthorized parties and failing to enforce necessary security controls.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-5320 is a vulnerability in Vanna AI versions up to 2.0.2 affecting the Chat API Endpoint, specifically the /api/vanna/v2/ routes. The issue is a missing authentication mechanism at the HTTP layer, meaning these API endpoints accept requests from any client without requiring authorization headers, API keys, session tokens, or any form of authentication.

This vulnerability arises because the route registration functions do not include authentication middleware, allowing unauthenticated requests to be processed immediately. The user resolution happens later downstream and is insecure, often returning hardcoded demo users without validation.

As a result, any attacker with network access can send unauthenticated requests to these endpoints and receive successful responses with full data, enabling arbitrary natural language queries against the connected database if configured with a real large language model and database backend.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several significant impacts:

• Unauthenticated database access via natural language queries, potentially exposing sensitive data.
• Lack of access control, making it impossible to distinguish legitimate users from attackers.
• No audit trail or attribution of queries to specific users, complicating incident response and accountability.
• Potential resource abuse, including unauthorized consumption of large language model API tokens and database resources.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the vulnerable API endpoints for missing authentication. Specifically, sending unauthenticated HTTP POST requests to endpoints such as /api/vanna/v2/chat_poll, /api/vanna/v2/chat_sse, and /api/vanna/v2/chat_websocket and observing if they return successful responses indicates the presence of the vulnerability.

You can use commands like curl to test these endpoints without any Authorization headers. For example:

• curl -X POST http://<target-host>/api/vanna/v2/chat_poll -d '{"query":"test"}' -H 'Content-Type: application/json'
• curl -X POST http://<target-host>/api/vanna/v2/chat_sse -d '{"query":"test"}' -H 'Content-Type: application/json'
• curl -X POST http://<target-host>/api/vanna/v2/chat_websocket -d '{"query":"test"}' -H 'Content-Type: application/json'

If these requests succeed and return data without requiring any authentication token or header, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to implement authentication middleware at the HTTP layer for the vulnerable API endpoints.

For example, if using FastAPI, add an HTTPBearer security scheme with a token verification dependency that validates JWT tokens before processing requests to endpoints like /api/vanna/v2/chat_poll.

This will ensure that only requests with valid authentication tokens are processed, preventing unauthenticated access.

Until an official patch or update is released by the vendor, consider restricting network access to these endpoints using firewall rules or network segmentation to limit exposure.

Useful 0 Not Useful 0