Remote Code Execution Vulnerability in txtai by Neuml
CVE-2026-58449

9.3CRITICAL

Key Information:

Vendor

Neuml

Status
Txtai
Vendor
CVE Published:
30 June 2026

What is CVE-2026-58449?

The txtai product, up to version 9.10.0, is exposed to a remote code execution vulnerability due to an API endpoint, /reindex, that resolves caller-supplied parameters without an allowlist. If this API is exposed without authentication (TOKEN not configured) and the index is writable, an attacker could exploit this to execute arbitrary code on the server. The exploitation conditions must be met, as they do not represent the default configuration, and fixes have been implemented to secure the endpoint.

Affected Version(s)

txtai 0 <= 9.10.0

txtai 11b32da720f03276199ebc5583c15fc5d1ccafd3

References

https://github.com/neuml/txtai/issues/1111
issue-tracking
https://github.com/neuml/txtai/issues/1122
issue-tracking
https://github.com/neuml/txtai/commit/11b32da720f03276199...
patch

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.