CVE-2025-68472: The Absolute Path to Destruction in MindsDB
Jan 12, 2026·6 min read·12 visits
Executive Summary (TL;DR)
MindsDB forgot how Python's `os.path.join` works. By sending a JSON payload with an absolute path to an unauthenticated PUT endpoint, attackers can trick the server into 'moving' critical system files (like `/etc/passwd`) into the database storage. This allows for data exfiltration via SQL queries and causes a Denial of Service by deleting the source file from the disk.
An unauthenticated path traversal vulnerability in MindsDB's file upload API allows attackers to hijack absolute paths, moving sensitive system files into public storage and deleting them from the OS.
Official Patches
Technical Appendix
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
MindsDB MindsDB | < 25.11.1 | 25.11.1 |
| Attribute | Detail |
|---|---|
| Attack Vector | Network (API) |
| CVSS v3.1 | 8.1 (High) |
| CWE | CWE-22 (Path Traversal) |
| Impact | Info Disclosure & DoS |
| Exploit Status | PoC Available |
| Authentication | None Required |
MITRE ATT&CK Mapping
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.