Search criteria
3 vulnerabilities by agno-agi
CVE-2026-10105 (GCVE-0-2026-10105)
Vulnerability from cvelistv5 – Published: 2026-05-29 16:18 – Updated: 2026-06-02 01:44
VLAI
Title
agno 2.6.5 SQL Injection via ClickHouse delete_by_metadata()
Summary
agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the delete_by_metadata() method. Attackers can exploit the unsafe f-string interpolation in clickhousedb.py to delete all rows, target specific rows, or extract information through error-based or blind SQL injection techniques.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/agno-agi/agno/issues/7866 | issue-tracking |
| https://github.com/agno-agi/agno/pull/7883 | technical-description |
| https://github.com/agno-agi/agno/pull/7883/change… | patch |
| https://github.com/agno-agi/agno/pull/7883/change… | patch |
| https://www.vulncheck.com/advisories/agno-sql-inj… | third-party-advisory |
Impacted products
Date Public
2026-05-29 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10105",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T01:43:05.133215Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T01:44:22.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/agno-agi/agno/issues/7866"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "agno",
"vendor": "agno-agi",
"versions": [
{
"lessThanOrEqual": "2.6.5",
"status": "affected",
"version": "0",
"versionType": "git"
},
{
"lessThanOrEqual": "26a7439b803c0ccc9a58ee53572d8088a678923f",
"status": "affected",
"version": "0",
"versionType": "git"
},
{
"lessThanOrEqual": "a0ec99305e782e68ba26f5966c53ad50b5f40132",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "YU SUN"
}
],
"datePublic": "2026-05-29T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eagno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the delete_by_metadata() method. Attackers can exploit the unsafe f-string interpolation in clickhousedb.py to delete all rows, target specific rows, or extract information through error-based or blind SQL injection techniques.\u003c/p\u003e"
}
],
"value": "agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the delete_by_metadata() method. Attackers can exploit the unsafe f-string interpolation in clickhousedb.py to delete all rows, target specific rows, or extract information through error-based or blind SQL injection techniques."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:18:59.425Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/agno-agi/agno/issues/7866"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/agno-agi/agno/pull/7883"
},
{
"tags": [
"patch"
],
"url": "https://github.com/agno-agi/agno/pull/7883/changes/26a7439b803c0ccc9a58ee53572d8088a678923f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/agno-agi/agno/pull/7883/changes/a0ec99305e782e68ba26f5966c53ad50b5f40132"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/agno-sql-injection-via-clickhouse-delete-by-metadata"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "agno 2.6.5 SQL Injection via ClickHouse delete_by_metadata()"
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-10105",
"datePublished": "2026-05-29T16:18:19.647Z",
"dateReserved": "2026-05-29T16:02:26.062Z",
"dateUpdated": "2026-06-02T01:44:22.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64168 (GCVE-0-2025-64168)
Vulnerability from cvelistv5 – Published: 2025-10-31 14:58 – Updated: 2025-10-31 15:39
VLAI
Title
Agno session state overwrites between different sessions/users
Summary
Agno is a multi-agent framework, runtime and control plane. From 2.0.0 to before 2.2.2, under high concurrency, when session_state is passed to Agent or Team during run or arun calls, a race condition can occur, causing a session_state to be assigned and persisted to the incorrect session. This may result in user data from one session being exposed to another user. This has been patched in version 2.2.2.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/agno-agi/agno/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T15:39:26.705889Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T15:39:39.368Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "agno",
"vendor": "agno-agi",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Agno is a multi-agent framework, runtime and control plane. From 2.0.0 to before 2.2.2, under high concurrency, when session_state is passed to Agent or Team during run or arun calls, a race condition can occur, causing a session_state to be assigned and persisted to the incorrect session. This may result in user data from one session being exposed to another user. This has been patched in version 2.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668: Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T14:58:54.447Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/agno-agi/agno/security/advisories/GHSA-vw84-hprm-cxmm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/agno-agi/agno/security/advisories/GHSA-vw84-hprm-cxmm"
}
],
"source": {
"advisory": "GHSA-vw84-hprm-cxmm",
"discovery": "UNKNOWN"
},
"title": "Agno session state overwrites between different sessions/users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64168",
"datePublished": "2025-10-31T14:58:54.447Z",
"dateReserved": "2025-10-28T21:07:16.438Z",
"dateUpdated": "2025-10-31T15:39:39.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8665 (GCVE-0-2025-8665)
Vulnerability from cvelistv5 – Published: 2025-08-06 17:02 – Updated: 2025-08-06 17:31
VLAI
Title
agno-agi agno Model Context Protocol mcp.py MultiMCPTools os command injection
Summary
A vulnerability, which was classified as critical, has been found in agno-agi agno up to 1.7.5. This issue affects the function MCPTools/MultiMCPTools in the library libs/agno/agno/tools/mcp.py of the component Model Context Protocol Handler. The manipulation of the argument command leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.319025 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.319025 | signaturepermissions-required |
| https://vuldb.com/?submit.620530 | third-party-advisory |
| https://github.com/bayuncao-bit/vul-30 | broken-link |
| https://github.com/bayuncao-bit/vul-30#proof-of-concept | broken-linkexploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8665",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T17:30:58.533392Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T17:31:11.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Model Context Protocol Handler"
],
"product": "agno",
"vendor": "agno-agi",
"versions": [
{
"status": "affected",
"version": "1.7.0"
},
{
"status": "affected",
"version": "1.7.1"
},
{
"status": "affected",
"version": "1.7.2"
},
{
"status": "affected",
"version": "1.7.3"
},
{
"status": "affected",
"version": "1.7.4"
},
{
"status": "affected",
"version": "1.7.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "bayuncao (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, has been found in agno-agi agno up to 1.7.5. This issue affects the function MCPTools/MultiMCPTools in the library libs/agno/agno/tools/mcp.py of the component Model Context Protocol Handler. The manipulation of the argument command leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in agno-agi agno bis 1.7.5 entdeckt. Sie wurde als kritisch eingestuft. Davon betroffen ist die Funktion MCPTools/MultiMCPTools in der Bibliothek libs/agno/agno/tools/mcp.py der Komponente Model Context Protocol Handler. Durch die Manipulation des Arguments command mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T17:02:04.987Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-319025 | agno-agi agno Model Context Protocol mcp.py MultiMCPTools os command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.319025"
},
{
"name": "VDB-319025 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.319025"
},
{
"name": "Submit #620530 | agno-agi agno v1.7.5 OS Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.620530"
},
{
"tags": [
"broken-link"
],
"url": "https://github.com/bayuncao-bit/vul-30"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://github.com/bayuncao-bit/vul-30#proof-of-concept"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-06T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-06T10:33:32.000Z",
"value": "VulDB entry last update"
}
],
"title": "agno-agi agno Model Context Protocol mcp.py MultiMCPTools os command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8665",
"datePublished": "2025-08-06T17:02:04.987Z",
"dateReserved": "2025-08-06T08:28:22.575Z",
"dateUpdated": "2025-08-06T17:31:11.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}