CVE-2026-10105 agno-agi CVE debrief

Who should care

Organizations running agno 2.6.5 with ClickHouse vector database backends, particularly those exposing metadata-driven deletion functionality to untrusted inputs. Development teams using agno for AI/ML applications with vector storage requirements should prioritize patching.

Technical summary

The vulnerability resides in the ClickHouse vector database backend implementation within agno 2.6.5. The `delete_by_metadata()` method constructs SQL DELETE queries using f-string interpolation with unsanitized metadata key and value inputs. This pattern allows attackers to break out of the intended query structure and inject arbitrary SQL expressions. Successful exploitation can result in deletion of all rows in the target table, selective deletion of specific rows, or information extraction through error-based or blind SQL injection techniques. The attack requires network access to the application and low attack complexity with no user interaction required.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade agno to a version containing the fix from pull request 7883
• Review and audit any custom metadata handling in ClickHouse-backed agno deployments
• Implement parameterized query patterns for all database operations in agno integrations
• Monitor application logs for suspicious SQL patterns or unexpected DELETE operations
• Restrict database permissions for agno service accounts to limit potential data manipulation scope

Evidence notes

The vulnerability is classified as CWE-89 (SQL Injection) per the primary weakness source. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no required privileges, and high impacts to confidentiality and integrity. The NVD entry shows vulnStatus as 'Deferred'. Multiple GitHub references document the issue disclosure, pull request fix, and specific code changes addressing the unsafe string interpolation.

Official resources