HIGHCVE-2025-68472CVSS 8.1

CVE-2025-68472: Path Traversal in MindsDB

Q: What is CVE-2025-68472 — Path Traversal in MindsDB?

CVE-2025-68472 is a Path Traversal vulnerability in MindsDB versions up to 25.9.3rc1, allowing unauthenticated attackers to read sensitive files.

Q: Am I affected by CVE-2025-68472 in MindsDB?

You are affected if you are running MindsDB version 25.9.3rc1 or earlier. Upgrade to 25.11.1 to resolve the issue.

Q: How do I fix CVE-2025-68472 in MindsDB?

Upgrade MindsDB to version 25.11.1 or later. As a temporary workaround, restrict network access to the file upload API.

Q: Is CVE-2025-68472 being actively exploited?

There is no confirmed active exploitation of CVE-2025-68472 at this time, but the HIGH severity score warrants immediate attention.

Q: Where can I find the official MindsDB advisory for CVE-2025-68472?

Refer to the official MindsDB security advisory for detailed information and updates regarding CVE-2025-68472.

Platform

python

Component

mindsdb

Fixed in

25.11.2

25.11.1

AI Confidence: highNVDEPSS 0.5%Reviewed: May 2026

View on NVD

Save

CVE-2025-68472 describes a Path Traversal vulnerability affecting MindsDB, a platform for building AI from enterprise data. This flaw allows unauthenticated attackers to read sensitive files from the server's filesystem and potentially move them into MindsDB's storage. The vulnerability impacts versions of MindsDB up to and including 25.9.3rc1, and a fix is available in version 25.11.1.

Impact and Attack Scenarios

The primary impact of this vulnerability is the potential for unauthorized access to sensitive data stored on the server. An attacker can exploit this flaw to read configuration files, database credentials, or other confidential information. Furthermore, the ability to move files into MindsDB’s storage could allow an attacker to overwrite existing data or introduce malicious files, potentially leading to data corruption or further compromise of the system. This vulnerability resembles other path traversal exploits where attackers leverage predictable file system structures to bypass access controls.

Exploitation Context

This vulnerability was publicly disclosed on 2026-01-12. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on CISA KEV. The CVSS score of 8.1 (HIGH) indicates a significant risk, suggesting a moderate probability of exploitation if the vulnerability remains unpatched.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureMedium

EPSS

0.45% (64% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentmindsdb

Vendorosv

Affected rangeFixed in

< 25.11.1 – < 25.11.125.11.2

—25.11.1

Weakness Classification (CWE)

CWE-22 CWE-23 CWE-36

Timeline

Reserved2025-12-18
Published2026-01-12
Modified2026-02-22
EPSS updated2026-03-23

Patched -40 days after disclosure

Mitigation and Workarounds

The recommended mitigation is to immediately upgrade MindsDB to version 25.11.1 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting network access to the file upload API or implementing stricter input validation to prevent malicious path manipulation. Review and audit file upload processes to ensure proper sanitization of user-supplied data. After upgrading, confirm the fix by attempting a path traversal attack via the file upload API and verifying that access is denied.

How to fix

Update MindsDB to version 25.11.1 or higher. This version fixes the path traversal vulnerability in the file upload API, preventing the reading of arbitrary files and the exposure of sensitive data.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-68472 — Path Traversal in MindsDB?