How is CVE-2026-10105 exploited?

Network reachability (required): The attacker must reach the agno service hosting the ClickHouse vector backend over the network (AV:N). Authentication (required): Any low-privilege account that can call delete_by_metadata() with attacker-controlled keys or values is sufficient (PR:L). Victim interaction (not-required): No user has to click, open, or approve anything for the injection to fire (UI:N). Attack complexity (info): Attack complexity is low: the f-string interpolation is reliably exploitable without race conditions or environmental tuning (AC:L).

What is the impact of CVE-2026-10105?

Reads arbitrary rows from the ClickHouse vector store, including embeddings, source documents, and any metadata persisted alongside them, via error-based or blind SQL injection. Modifies or deletes rows in the vector store, up to and including wiping every row backing an agent's knowledge base. Causes partial availability loss for agents that depend on the corrupted or emptied vector collections.

Back to search

HIGHCVE-2026-10105Published 2026-05-29Modified 2026-05-29CNA VulnCheck

CVE-2026-10105: agno 2.6.5 SQL Injection via ClickHouse delete_by_metadata()

agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the delete_by_metadata() method. Attackers can exploit the unsafe f-string interpolation in clickhousedb.py to delete all rows, target specific rows, or extract information through error-based or blind SQL injection techniques.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A SQL injection flaw in the agno AI agent framework lets an authenticated user smuggle arbitrary SQL through the ClickHouse vector backend's delete_by_metadata() method, which builds queries with unsafe f-string interpolation in clickhousedb.py. The bug is reachable over the network with any low-privilege account and no victim interaction, and successful exploitation lets an attacker delete arbitrary rows or exfiltrate data through error-based and blind SQL injection. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched rebuild available the moment a fixed version ships.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against agno installations in customer registries, pipelines, and custom-built images. Coverage includes pinned-version installs as well as the affected commit hashes listed in the advisory.

Available

Triage

Triage is available with the published CVSS v4.0 score of 8.7 (High), weighted against each customer organization's compliance policy so that AI/ML workloads or data-handling services can be escalated above the baseline. Findings are routed to the inbox configured for the owning team inside each customer org.

Available

Patch

No fix version has been published upstream. HarborGuard re-checks the agno advisory each ingest cycle and will make a patched-image rebuild available the moment the maintainers ship a fixed release; environments with auto-remediation enabled will then get a rebuild, regression-test run, and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the agno service hosting the ClickHouse vector backend over the network (AV:N).
AuthenticationRequired
Any low-privilege account that can call delete_by_metadata() with attacker-controlled keys or values is sufficient (PR:L).
Victim interactionNot required
No user has to click, open, or approve anything for the injection to fire (UI:N).
Attack complexityDetail
Attack complexity is low: the f-string interpolation is reliably exploitable without race conditions or environmental tuning (AC:L).

Blast Radius

Reads arbitrary rows from the ClickHouse vector store, including embeddings, source documents, and any metadata persisted alongside them, via error-based or blind SQL injection.
Modifies or deletes rows in the vector store, up to and including wiping every row backing an agent's knowledge base.
Causes partial availability loss for agents that depend on the corrupted or emptied vector collections.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the agno advisory with automatic rematching against customer images on every ingest cycle, so a fixed release is picked up the moment it is published upstream. Until a patch exists, compensating controls customers can apply include restricting network reach to the agno service so only trusted internal callers can invoke delete_by_metadata(), tightening the privilege model so untrusted tenants cannot pass metadata keys or values into vector deletes, and feature-flag-gating any code path that forwards user-controlled metadata into the ClickHouse backend. When the upstream fix lands, environments with auto-remediation enabled will get a rebuilt image, a regression-test run, and a PR opened against affected workloads automatically.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

agno-agi / agno
≤ 2.6.5 · ≤ 26a7439b803c0ccc9a58ee53572d8088a678923f · ≤ a0ec99305e782e68ba26f5966c53ad50b5f40132

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

References