CVE-2026-10105: SQL Injection in Agno 2.6.5 ClickHouse Backend
Agno version 2.6.5 contains a SQL injection flaw in its ClickHouse vector database integration. An authenticated attacker can inject malicious SQL commands through the delete_by_metadata() function by crafting specially formatted metadata keys and values. This allows an attacker to delete database records, steal sensitive data, or manipulate stored information. The vulnerability requires valid credentials to exploit, but once authenticated, an attacker has significant control over the database.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the delete_by_metadata() method. Attackers can exploit the unsafe f-string interpolation in clickhousedb.py to delete all rows, target specific rows, or extract information through error-based or blind SQL injection techniques.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from unsafe f-string interpolation in clickhousedb.py within agno 2.6.5's ClickHouse backend. The delete_by_metadata() method fails to sanitize user-supplied metadata keys and values before embedding them directly into SQL queries. An authenticated attacker can leverage CWE-89 (SQL injection) to inject arbitrary SQL expressions, enabling attack vectors including but not limited to: mass deletion of rows, targeted row deletion, error-based information extraction, and blind SQL injection for data exfiltration. The vulnerability is particularly dangerous in deployments where agno manages sensitive vector data or metadata indices.
Business impact
Exploitation could result in unauthorized data deletion, loss of critical vector embeddings or associated metadata, or extraction of confidential information stored in the ClickHouse backend. For organizations using agno in production AI/ML pipelines or semantic search systems, an insider or compromised account could disrupt data integrity, cause service unavailability, or breach data confidentiality. Recovery from mass deletion may require database restoration from backups, incurring operational downtime and potential data loss. The confidentiality and integrity impacts are rated high, making this a material risk for security-conscious deployments.
Affected systems
Agno version 2.6.5 is affected. Organizations running agno with a ClickHouse backend should assess their deployment. The vulnerability is not exploitable without valid authentication credentials, so risk is limited to insider threats, compromised service accounts, or lateral movement scenarios within a network where agno is accessible. Earlier or later versions of agno have not been specified in available advisories; verify your version and check vendor release notes for patched builds.
Exploitability
Exploitability is moderate to high given that an authenticated user is required. An attacker cannot exploit this vulnerability remotely without valid credentials (PR:L in the CVSS vector indicates low privilege requirement post-authentication). However, the attack complexity is low (AC:L), meaning that once authenticated, crafting a malicious payload requires minimal effort—straightforward SQL injection syntax. No user interaction or code execution is needed beyond a single API call. In environments with weak credential hygiene or shared service accounts, the practical exploitability increases significantly.
Remediation
Immediate remediation requires upgrading agno to a patched version released after 2.6.5. Verify the vendor advisory at agno's official repository or security page for the recommended release. In the interim, implement network segmentation and access controls to limit who can authenticate to agno instances. Restrict delete_by_metadata() API access through application-layer authorization checks. Ensure ClickHouse backends are network-isolated and that database credentials are not shared across multiple services.
Patch guidance
Check the agno project's official GitHub releases page or security advisories for a version newer than 2.6.5 that addresses this SQL injection. Apply the patch in a staging environment first to validate compatibility with your AI/ML pipeline and ClickHouse schema. Verify that vector data and metadata queries continue to function correctly post-patching. Consider scheduling the upgrade during a maintenance window to minimize service disruption. If a patched version is not yet available, consult the vendor's security advisory for temporary mitigation recommendations.
Detection guidance
Monitor ClickHouse query logs for suspicious SQL patterns in metadata-related delete operations—particularly those containing SQL keywords, special characters, or unexpected operators within metadata key and value fields. Implement alerting on failed or successful delete_by_metadata() calls that target unexpectedly large row counts or exhibit error-based SQL injection markers (e.g., UNION, CASE, or subquery keywords in metadata values). Enable audit logging on agno API endpoints to capture the identity and timestamp of callers invoking delete_by_metadata(). Review authentication logs for unusual account access or privilege escalation preceding any unusual database deletions.
Why prioritize this
Despite a CVSS score of 8.3 (HIGH), this vulnerability warrants high prioritization because it directly threatens data integrity and confidentiality in AI/ML systems where vector databases are mission-critical. The combination of high confidentiality and integrity impact, low attack complexity, and the widespread use of ClickHouse for semantic search and RAG systems means that exploitation could have cascading effects on dependent applications. Even though it requires authentication, insider threats and credential compromise are common in practice. Organizations should prioritize patching or implementing compensating controls within weeks, not months.
Risk score, explained
The CVSS 3.1 score of 8.3 reflects: network-accessible attack surface (AV:N), low attack complexity once authenticated (AC:L), requirement for valid credentials (PR:L), no user interaction needed (UI:N), unscoped impact (S:U), high confidentiality loss (C:H), high integrity impact (I:H), and low availability impact (A:L). The high score is justified by the severity of potential data loss and information disclosure. However, the authentication prerequisite prevents a score in the critical range, making this HIGH rather than CRITICAL. Organizations should treat this as a material security debt requiring prompt remediation.
Frequently asked questions
Do I need to have ClickHouse credentials to exploit this vulnerability?
No, but you do need valid authentication credentials for agno itself. The vulnerability is triggered through agno's API; ClickHouse credentials are handled internally by agno. An attacker with compromised agno credentials can exploit the flaw without directly authenticating to ClickHouse.
Can this vulnerability be exploited remotely without authentication?
No. The CVSS vector includes PR:L (low privilege requirement), meaning an attacker must possess valid agno credentials or a session token. Remote unauthenticated exploitation is not possible. However, compromised or insider accounts can exploit it trivially.
What data can be extracted using blind SQL injection through this vulnerability?
An attacker can extract any data visible to the ClickHouse user account running agno's queries, including table schemas, metadata values, vector indices, and potentially sensitive information stored alongside vectors. Error-based injection may leak database version, table names, and column metadata. The scope of extraction depends on the ClickHouse user's database permissions and the application's data classification.
Is there a workaround if we cannot patch immediately?
Implement strict network access controls and IP whitelisting for agno instances. Use application-level authorization to restrict which authenticated users can invoke delete_by_metadata(). Enforce strong authentication and session management. Monitor and alert on suspicious delete operations. These are temporary measures; patching remains the authoritative fix.
This analysis is provided for informational and remediation planning purposes. CVSS scores and vulnerability classifications are derived from official CVE records. Patch availability, version numbers, and workaround effectiveness should be independently verified against the agno project's official advisories and documentation. Organizations should conduct their own risk assessment based on their specific deployment architecture, data sensitivity, and threat model. This explainer does not constitute professional security advice; consult with your security team before implementing any remediation strategy. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access