CVE-2025-68472: MindsDB has improper sanitation of filepath that leads to information disclosure and DOS

January 12, 2026 (updated January 20, 2026)

BlueRock discovered an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. Severity: High.

References

github.com/advisories/GHSA-qqhf-pm3j-96g7
github.com/mindsdb/mindsdb
github.com/mindsdb/mindsdb/releases/tag/v25.11.1
github.com/mindsdb/mindsdb/security/advisories/GHSA-qqhf-pm3j-96g7
nvd.nist.gov/vuln/detail/CVE-2025-68472

Code Behaviors & Features

Detect and mitigate CVE-2025-68472 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →