External risk intelligence

txtai Unauthenticated API RCE via Unsafe Reflection

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-58449

The vulnerability exists in an API endpoint within the txtai software. While the specific conditions for exploitation require the API to be exposed, authentication disabled, and the index configured as writable, txtai is commonly deployed as an API service. Because it is designed to function as a web-accessible API, it is likely to be deployed in a reachable network configuration.

Code Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in txtai, an API that can allow an unauthenticated remote attacker to execute arbitrary code by manipulating a specific API endpoint under certain deployment conditions. The main concern is confirming relevance and exposure given that exploitation is not the default configuration.

  • Unauthenticated code execution via a vulnerable API.
  • Leadership should remember it for potential remote code execution.
  • Confirm if this API is exposed and unauthenticated.

Attack Path

How an attacker could exploit the issue

An attacker can achieve remote code execution by sending a crafted request to the `/reindex` API endpoint without authentication, provided the API is exposed and the index is writable. This happens because the `function` parameter is processed unsafely, allowing arbitrary code to be executed on the server during the reindexing process.

  • Exposed API and no authentication.
  • Unsafe function parameter resolution.
  • Remote code execution on server.

Live Threat

Current exploitation, exposure, and threat context

When deployed with the API exposed, no authentication token configured, and a writable index, a remote attacker could execute arbitrary code on the server. This capability could allow them to compromise the server process during reindexing operations.

  • Server process and its data
  • Unauthenticated API access
  • Remote code execution

Operational Fix

Recommended remediation, mitigation, and detection steps

The critical vulnerability in txtai's API, specifically the `/reindex` endpoint, presents a remote code execution risk under certain deployment conditions. If the API is exposed externally, authentication is disabled, and the index is writable, a remote attacker can exploit this by manipulating the `function` parameter to execute arbitrary code. Responsibility for addressing this likely falls to platform teams managing the txtai deployment, in coordination with application owners if txtai is embedded within a larger application. The first practical step is to identify all instances of txtai, confirm their reachability and business criticality, and then plan remediation, potentially involving vendor coordination for the fix or temporary risk reduction measures.

  • Confirm txtai instances and exposure.
  • Identify accountable application owners.
  • Plan remediation or temporary mitigation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is txtai?

txtai is an open-source framework designed for AI-powered workflows, vector search, and language model orchestration. Developers often use it to build search engines, question-answering systems, and data processing pipelines. It can run as a standalone web API service, which allows external applications to interact with these AI models and indices remotely.

What does CWE-94 mean for CVE-2026-58449?

CWE-94 refers to Improper Control of Generation of Code, commonly known as Code Injection. In this vulnerability, txtai's API incorrectly handles user input by allowing a caller to supply a path to arbitrary Python functions. Because the software does not check if the requested function is safe, an attacker can trick the system into running unauthorized commands on the server.

When does this vulnerability trigger?

The issue is not triggered by default. It requires three specific, non-default conditions simultaneously: the API must be exposed to the network, the authentication token must be disabled, and the index must be configured as writable. If any of these conditions are missing—for instance, if authentication is enabled or the API is kept private—the exploitation path is effectively blocked.

Is my instance reachable from the internet?

Halo Surface Signal notes that while txtai is often deployed as a web-accessible API, you must verify if your specific instance is reachable from the internet. Because the vulnerability requires an unauthenticated, network-accessible endpoint, instances running on local, internal-only networks face a significantly lower risk than those exposed publicly.

How do I secure my txtai deployment?

The primary step is to review your deployment configuration. Confirm if the API is exposed and if authentication is enabled. If you are running an affected version, the recommended path is to update to a patched version that adds a configuration flag to gate the reindex endpoint. If an update is not immediate, ensure your API access is restricted by a firewall or authentication layer.

References