A critical unsafe-reflection flaw in the txtai API lets a remote, unauthenticated attacker execute arbitrary code on the server under specific deployment conditions.
What Is It
CVE-2026-58449 is a remote code execution vulnerability in neuml's txtai through version 9.10.0. The API's /reindex endpoint resolves its function body parameter through txtai.util.Resolver, which performs __import__ and getattr on a caller-supplied dotted path with no allowlist. Because authentication is opt-in, when the API is exposed with no TOKEN configured all endpoints are unauthenticated. If the index is also configured writable, an attacker can set function to an arbitrary callable, such as subprocess.getoutput, achieving code execution as the server process during reindexing. The weakness is classified as CWE-94 (Code Injection).
Why It Matters
The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, with a secondary CVSS 4.0 score of 9.3. Attack vector is network-based, attack complexity is low, and no privileges or user interaction are required. A successful attack yields high impact to confidentiality, integrity, and availability, running code as the server process. Note that exploitation is not possible in the default configuration; it requires the API to be exposed, no TOKEN set, and a writable index.
What's Vulnerable
- Vendor: neuml
- Product: txtai
- Affected versions: all versions up to and including 9.10.0
- Fixed: commit
11b32da720f03276199ebc5583c15fc5d1ccafd3(marked unaffected)
Exploitation is limited to deployments where the API is exposed, no TOKEN is configured, and the index is writable.
Patch Status
The issue is fixed in commit 11b32da. The fix gates the /reindex endpoint behind a new reindex configuration flag. Operators should upgrade to a build that includes this commit. As interim mitigation, the source material indicates the risk depends on deployment conditions; configuring a TOKEN (enabling authentication) and avoiding an exposed, writable index removes the preconditions for exploitation. This CVE is not present in the supplied CISA KEV data, so there is no confirmation of active exploitation.