CVE-2026-10105
SQL Injection in agno ClickHouse Backend
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| agno | agno | to 2.6.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10105 is a SQL injection vulnerability in agno version 2.6.5 affecting its ClickHouse vector database backend. The issue arises in the delete_by_metadata() method, where user-supplied metadata keys and values are directly inserted into SQL DELETE statements using unsafe f-string interpolation. This allows attackers to inject arbitrary SQL expressions.
By crafting malicious metadata keys and values, attackers can manipulate the SQL query to delete all rows, target specific rows, or extract information using error-based or blind SQL injection techniques.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including mass deletion of vector embeddings or database rows, targeted deletion of specific documents, and unauthorized extraction of sensitive data.
In shared deployments, it may also lead to cross-tenant data access, compromising data confidentiality and integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or suspicious SQL DELETE queries targeting the ClickHouse vector database backend, especially those containing metadata keys or values that appear to be crafted for SQL injection, such as tautologies or injected SQL logic.
Since the vulnerability arises from unsafe f-string interpolation in the delete_by_metadata() method, detection can involve inspecting logs or query histories for DELETE statements with suspicious WHERE clauses constructed from metadata.
Suggested commands to detect potential exploitation attempts include searching database query logs for suspicious patterns. For example, using grep or similar tools to find DELETE queries with suspicious metadata keys or values:
- grep -i "DELETE FROM" /path/to/clickhouse/query/logs | grep -E "(\' OR \'1\'=\'1|\) = \'1\' OR \('1)"
- Use ClickHouse system tables to query recent queries for suspicious patterns, e.g.: SELECT query, event_time FROM system.query_log WHERE query LIKE '%DELETE%' AND query LIKE '%OR%1=1%';
Additionally, monitoring for unexpected mass deletions or data extraction attempts in the vector database can indicate exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating agno to a version that contains the security fix addressing this SQL injection vulnerability.
The fix involves modifying the delete_by_metadata() method to use parameterized queries instead of unsafe f-string interpolation, ensuring that all metadata keys and values are properly escaped or passed as named parameters.
Until an update can be applied, you should:
- Restrict or validate user input for metadata keys and values to prevent malicious SQL injection payloads.
- Monitor and audit database queries for suspicious DELETE operations.
- Limit privileges of users who can invoke the delete_by_metadata() method to reduce the risk of exploitation.
Applying the official patches or upgrading to a fixed version as soon as possible is strongly recommended to fully remediate the vulnerability.