VDB
KO
CRITICAL 9.8

PYSEC-2026-562

vanna vulnerable to remote code execution caused by prompt injection

Details

In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec` function in `src/vanna/base/base.py`. This vulnerability can be exploited by an attacker to achieve remote code execution on the app backend server, potentially gaining full control of the server.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / vanna
Introduced in: 0

No fixed version published yet for vanna (pip). Pin to a known-safe version or switch to an alternative.

References