HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-58449Published Modified CNA VulnCheck

CVE-2026-58449: txtai - Unauthenticated Remote Code Execution via Unsafe Reflection in API /reindex function Parameter

txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolver, which performs __import__ and getattr on the caller-supplied dotted path with no allowlist. When the API is exposed with no TOKEN configured (authentication is opt-in, so all endpoints are unauthenticated) and the index is configured writable, a remote attacker can set function to an arbitrary callable such as subprocess.getoutput, achieving remote code execution as the server process during reindexing. Exploitation requires those deployment conditions (API exposed, no TOKEN, writable index); it is not the default configuration. The fix gates the endpoint behind a new reindex configuration flag.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
11b32da720f03276199ebc5583c15fc5d1ccafd3
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unauthenticated remote code execution vulnerability exists in txtai versions through 9.10.0, caused by unsafe reflection in the /reindex API endpoint. The endpoint resolves a caller-supplied function parameter by calling __import__ and getattr on any dotted Python path with no allowlist, allowing any reachable caller to supply an arbitrary callable such as subprocess.getoutput. Exploitation is possible without any credentials over the network when the API is exposed without a TOKEN and the index is configured writable; successful exploitation gives the attacker code execution as the server process. A patched-image rebuild at commit 11b32da720f03276199ebc5583c15fc5d1ccafd3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle txtai, in both registry scans and active CI/CD pipeline checks.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS v4.0 9.3 (Critical) and weighting it against each environment's compliance policy to route the alert to the appropriate team inbox, ensuring the right engineers see it without noise reaching unrelated owners.

Available
Patch

A patched-image rebuild pinned to the fix commit (11b32da720f03276199ebc5583c15fc5d1ccafd3) is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the txtai API service over the network; any internet- or LAN-exposed deployment is in scope.

  • AuthenticationNot required

    No credentials are needed because authentication in txtai is opt-in and the vulnerable endpoint is fully unauthenticated when no TOKEN is configured.

  • Victim interactionNot required

    No user or administrator action is required; the attacker sends a crafted API request directly to the /reindex endpoint.

  • Attack complexityDetail

    The exploit is reliable and condition-free at the network level, though it does require that the target deployment exposes the API without a TOKEN and with a writable index.

Blast Radius

  • The attacker executes arbitrary operating system commands as the server process, giving them full control over anything that process can reach.
  • All data held in the txtai index is readable and modifiable, including any documents, embeddings, or stored records.
  • The server process itself can be crashed, corrupted, or hijacked, disrupting any service or pipeline that depends on the txtai API.
  • From the compromised server process, the attacker can pivot to other internal services or credentials accessible from that host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-58449 is active across all connected environments, matching images that include txtai at or below version 9.10.0. A patched-image rebuild targeting the fix commit (11b32da720f03276199ebc5583c15fc5d1ccafd3) is available now. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs the regression suite, and opens a pull request against impacted workloads; for Critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy or deployment constraints prevent immediate patching, HarborGuard recommends applying network-policy isolation to restrict access to the txtai API port, enforcing a TOKEN value in the deployment configuration as a compensating control, and setting the index to read-only mode until the fix commit is deployed. These controls directly address the three deployment conditions the exploit requires.

See how HarborGuard automates this

Fix available

11b32da720f03276199ebc5583c15fc5d1ccafd3
Patch commits
Affected packages
  • neuml / txtai
    ≤ 9.10.0
    Fixed in 11b32da720f03276199ebc5583c15fc5d1ccafd3
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References