In MLflow versions prior to 3.11.0 a critical severity vulnerability CVE-2026-4035 was detected. This vulnerability allows an attacker to exfiltrate sensitive server-side environment credentials, such as AWS access keys, to an attacker-controlled endpoint. This occurs because the api_key field in AI Gateway secrets incorrectly resolves environment variable references (e.g., $ENV_VAR) against the MLflow server’s environment during runtime. The resolved secrets are then sent in provider authentication headers to a configured upstream api_base. This can be exploited by unauthenticated users in default deployments or low-privileged users in basic-auth deployments, potentially leading to artifact poisoning and cross-boundary code execution. To address this issue, users should upgrade MLflow to version 3.11.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-4035.
Read more Data AnalyticsIn Kibana versions up to and including 8.19.15, prior to 9.3.3, 9.2.8, up to and including 9.4.1 a high severity vulnerability CVE-2026-42398 was detected. This vulnerability allows an authenticated user with connector management privileges to perform a Server-Side Request Forgery (SSRF) attack and bypass operator-configured connection allowlists. This occurs because an attacker can configure a Webhook connector with a specially crafted target, forcing Kibana to issue outbound requests to destinations that were intended to be blocked by egress restriction controls. To address this issue, users should upgrade Kibana to version 9.2.8 or 9.3.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-42398.
Read more Data AnalyticsIn Grafana versions 6.7.0 through 11.6.13, 12.0.0 through 12.2.7, 12.3.0 through 12.3.5, 12.4.0 through 12.4.2, 13.0.0 a medium severity vulnerability CVE-2026-28383 was detected. This vulnerability allows an authenticated attacker to cause a Denial of Service (DoS) by triggering an out-of-memory condition. This occurs because the Grafana plugin resources endpoint reads the entire request body into memory without size limits, leading to unbounded memory allocation. To address this issue, users should upgrade Grafana to version 11.6.14+security-04, 12.2.8+security-04, 12.3.6+security-04, 12.4.3+security-02, 13.0.1+security-01. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-283833.
Read more DatabaseIn SQLite versions through 3.29.0 a medium severity vulnerability CVE-2019-16168 was detected. This vulnerability allows an attacker to cause a Denial of Service (DoS) by crashing a browser or any other application using the database. This occurs due to a severe division by zero error in the query planner (specifically within the whereLoopAddBtreeIndex function in sqlite3.c), which is triggered by missing validation of the sqlite_stat1 sz field. To address this issue, users should upgrade SQLite to version 3.29.0 and later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2019-16168.
Read more DatabaseIn MariaDB Server versions before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2 a medium severity vulnerability CVE-2026-35549 was detected. This vulnerability allows an attacker to cause a Denial of Service (DoS) by crashing the server. This occurs because when the caching_sha2_password authentication plugin is enabled and in use, sending a specially crafted large packet triggers a crash due to the unsafe use of the alloca function for memory allocation within sha256_crypt_r. To address this issue, users should upgrade MariaDB Server to versions 11.4.10, 11.8.6, or 12.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-35549.
Read more DatabaseIn pgAdmin 4 versions before 9.15 a high severity vulnerability CVE-2026-7816 was detected. This vulnerability allows an authenticated user to achieve arbitrary operating-system command execution on the pgAdmin server or perform arbitrary file writes. This occurs because user-supplied input (including the query, format, on_error, and log_verbosity fields) is interpolated directly into a psql \copy metacommand template without proper sanitization. An attacker can exploit this by injecting strings like “) TO PROGRAM ‘cmd'” to break out of the intended \copy (…) context. To address this issue, users should upgrade pgAdmin 4 to version 9.15. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-7816.
Read more DatabaseIn Kibana versions 8.0.0 up a medium severity vulnerability CVE-2026-49094 was detected. This vulnerability allows an authenticated user with viewer-level access to cause a Denial of Service (DoS), rendering the application unavailable to all users until it is manually recovered. This occurs due to uncontrolled resource consumption (excessive CPU and memory allocation) when a request containing an oversized input value is submitted to an analytics collections management endpoint. To address this issue, users should upgrade Kibana to version 8.19.16, 9.3.5, and 9.4.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-49094.
Read more Data AnalyticsIn MLflow versions prior to 3.9.0 a high severity vulnerability CVE-2026-2393 was detected. This vulnerability allows an authenticated attacker to perform a Server-Side Request Forgery (SSRF) attack, potentially leading to cloud credential theft, internal network access, and data exfiltration. This occurs because the application fails to validate, sanitize, or filter the user-controlled ‘url’ parameter in the webhook creation and delivery functions, allowing the backend server to be forced into sending HTTP POST requests to arbitrary internal or external destinations. To address this issue, users should upgrade MLflow to version 3.9.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2393.
Read more Data AnalyticsIn Kibana version 9.3.3 a medium severity vulnerability CVE-2026-49093 was detected. This vulnerability allows an authenticated user with connector management privileges to perform a Server-Side Request Forgery (SSRF) attack. This occurs because the application allows the user to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations that the egress controls were intended to block. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-49093.
Read more Data Analytics