Home > Vulnerability Database > CVE-2025-68472

Mend.io Vulnerability Database

CVE-2025-68472

Good to know:

Date: January 12, 2026

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to clear_filename or equivalent checks. This vulnerability is fixed in 25.11.1.

Severity Score

8.1

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-68472

Url: https://github.com/mindsdb/mindsdb

Url: https://github.com/mindsdb/mindsdb/releases/tag/v25.11.1

Url: https://github.com/mindsdb/mindsdb/security/advisories/GHSA-qqhf-pm3j-96g7

Url: https://www.mend.io/vulnerability-database/CVE-2025-68472

Severity Score

8.1

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Relative Path Traversal

CWE-23

Absolute Path Traversal

CWE-36

Top Fix

Upgrade Version

Upgrade to version mindsdb - 25.11.1

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	ADJACENT_NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-68472

Good to know:

Date: January 12, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?