{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-10105/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-10105"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["agno 2.6.5"],"_cs_severities":["high"],"_cs_tags":["sql-injection","cve-2026-10105","database"],"_cs_type":"advisory","_cs_vendors":["ClickHouse"],"content_html":"\u003cp\u003eAgno 2.6.5, a vector database, is susceptible to a SQL injection vulnerability (CVE-2026-10105) within its ClickHouse backend. This flaw stems from the unsafe use of f-string interpolation in the \u003ccode\u003eclickhousedb.py\u003c/code\u003e module, specifically within the \u003ccode\u003edelete_by_metadata()\u003c/code\u003e method. An attacker can inject arbitrary SQL expressions by supplying crafted metadata keys and values during deletion operations. The vulnerability was reported on May 29, 2026. Successful exploitation can result in unauthorized data manipulation, including deletion of all rows or targeted data removal, as well as information disclosure through error-based or blind SQL injection techniques. This poses a significant risk to data integrity and confidentiality for systems utilizing the affected version of Agno with the ClickHouse backend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an Agno 2.6.5 instance using the ClickHouse vector database backend.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious metadata keys and values containing SQL injection payloads, targeting the \u003ccode\u003edelete_by_metadata()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe attacker calls the \u003ccode\u003edelete_by_metadata()\u003c/code\u003e method with the crafted metadata.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eclickhousedb.py\u003c/code\u003e module, specifically the \u003ccode\u003edelete_by_metadata()\u003c/code\u003e function, uses an unsafe f-string to interpolate the attacker-supplied metadata directly into a SQL query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the ClickHouse database.\u003c/li\u003e\n\u003cli\u003eDepending on the injected SQL, the attacker can delete all rows in a table.\u003c/li\u003e\n\u003cli\u003eThe attacker can also target specific rows for deletion by crafting SQL \u003ccode\u003eWHERE\u003c/code\u003e clauses within the injected metadata.\u003c/li\u003e\n\u003cli\u003eThe attacker can use error-based or blind SQL injection techniques to extract sensitive information from the database through carefully crafted queries and observing the application\u0026rsquo;s responses.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-10105) can lead to several detrimental outcomes. Attackers could potentially delete all data within the ClickHouse database, causing complete data loss and service disruption. Targeted data deletion can compromise the integrity of specific datasets, leading to inaccurate or incomplete information. Furthermore, sensitive information stored within the database can be extracted through error-based or blind SQL injection, resulting in confidentiality breaches. The CVSS v3.1 base score for this vulnerability is 8.3, indicating a high level of severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of Agno that addresses CVE-2026-10105 to eliminate the vulnerable code.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-10105 Exploitation Attempt — Malicious Metadata in Agno ClickHouse DELETE Request\u0026rdquo; to identify potential exploitation attempts targeting the \u003ccode\u003edelete_by_metadata()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eReview and sanitize all input data passed to the \u003ccode\u003edelete_by_metadata()\u003c/code\u003e method to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and output encoding to mitigate the risk of SQL injection vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor ClickHouse database logs for suspicious queries originating from the Agno application, as indicated by the \u0026ldquo;Detect Generic SQL Injection Attempts in ClickHouse Logs\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T18:18:38Z","date_published":"2026-05-29T18:18:38Z","id":"https://feed.craftedsignal.io/briefs/2026-05-agno-sql-injection/","summary":"Agno 2.6.5 is vulnerable to SQL injection in the ClickHouse vector database backend (CVE-2026-10105), enabling attackers to inject arbitrary SQL expressions via malicious metadata in the delete_by_metadata() method, potentially leading to data deletion or information extraction.","title":"Agno 2.6.5 ClickHouse Backend SQL Injection (CVE-2026-10105)","url":"https://feed.craftedsignal.io/briefs/2026-05-agno-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-10105","version":"https://jsonfeed.org/version/1.1"}