Executive Summary

CVE-2026-10105 is a SQL injection vulnerability in agno version 2.6.5 affecting its ClickHouse vector database backend. The issue arises in the delete_by_metadata() method, where user-supplied metadata keys and values are directly inserted into SQL DELETE statements using unsafe f-string interpolation. This allows attackers to inject arbitrary SQL expressions.

By crafting malicious metadata keys and values, attackers can manipulate the SQL query to delete all rows, target specific rows, or extract information using error-based or blind SQL injection techniques.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including mass deletion of vector embeddings or database rows, targeted deletion of specific documents, and unauthorized extraction of sensitive data.

In shared deployments, it may also lead to cross-tenant data access, compromising data confidentiality and integrity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual or suspicious SQL DELETE queries targeting the ClickHouse vector database backend, especially those containing metadata keys or values that appear to be crafted for SQL injection, such as tautologies or injected SQL logic.

Since the vulnerability arises from unsafe f-string interpolation in the delete_by_metadata() method, detection can involve inspecting logs or query histories for DELETE statements with suspicious WHERE clauses constructed from metadata.

Suggested commands to detect potential exploitation attempts include searching database query logs for suspicious patterns. For example, using grep or similar tools to find DELETE queries with suspicious metadata keys or values:

• grep -i "DELETE FROM" /path/to/clickhouse/query/logs | grep -E "(\' OR \'1\'=\'1|\) = \'1\' OR \('1)"
• Use ClickHouse system tables to query recent queries for suspicious patterns, e.g.: SELECT query, event_time FROM system.query_log WHERE query LIKE '%DELETE%' AND query LIKE '%OR%1=1%';

Additionally, monitoring for unexpected mass deletions or data extraction attempts in the vector database can indicate exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating agno to a version that contains the security fix addressing this SQL injection vulnerability.

The fix involves modifying the delete_by_metadata() method to use parameterized queries instead of unsafe f-string interpolation, ensuring that all metadata keys and values are properly escaped or passed as named parameters.

Until an update can be applied, you should:

• Restrict or validate user input for metadata keys and values to prevent malicious SQL injection payloads.
• Monitor and audit database queries for suspicious DELETE operations.
• Limit privileges of users who can invoke the delete_by_metadata() method to reduce the risk of exploitation.

Applying the official patches or upgrading to a fixed version as soon as possible is strongly recommended to fully remediate the vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The SQL injection vulnerability in agno 2.6.5's ClickHouse vector database backend allows attackers to delete or extract sensitive data arbitrarily. Such unauthorized data access or deletion can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over data confidentiality, integrity, and availability.

Specifically, the ability to extract information through SQL injection could result in unauthorized disclosure of personal or protected health information, breaching confidentiality requirements. Similarly, the potential for mass deletion or targeted deletion of data impacts data integrity and availability, which are critical compliance aspects.

Therefore, exploitation of this vulnerability could cause non-compliance with standards that require safeguarding sensitive data against unauthorized access and ensuring data integrity and availability.

Useful 0 Not Useful 0