CVE-2026-10105 Overview
CVE-2026-10105 is a SQL injection vulnerability [CWE-89] in agno 2.6.5, an open-source agentic AI framework. The flaw resides in the ClickHouse vector database backend, specifically in the delete_by_metadata() method implemented in clickhousedb.py. Attackers with the ability to supply metadata keys and values can inject arbitrary SQL expressions through unsafe f-string interpolation. Successful exploitation enables row deletion, targeted record manipulation, and data extraction through error-based or blind SQL injection techniques.
Critical Impact
An authenticated attacker can execute arbitrary SQL against the ClickHouse backend, delete vector store data, and exfiltrate sensitive information by abusing the delete_by_metadata() method.
Affected Products
- agno 2.6.5 (agentic AI framework)
- ClickHouse vector database integration in agno
- Applications using clickhousedb.pydelete_by_metadata() method
Discovery Timeline
- 2026-05-29 - CVE-2026-10105 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-10105
Vulnerability Analysis
The vulnerability exists in agno's ClickHouse vector database backend. The delete_by_metadata() method in clickhousedb.py builds SQL DELETE statements by concatenating user-supplied metadata keys and values directly into the query string using Python f-string interpolation. No parameterized queries, escaping, or input validation are applied before the metadata reaches the SQL execution path.
An attacker who can influence the metadata dictionary passed to delete_by_metadata() can break out of the intended literal context and append arbitrary SQL clauses. This includes modifying WHERE conditions to delete all rows, targeting specific records, or leveraging ClickHouse-specific error messages and timing differences to perform blind data extraction.
Because agno is commonly used to back retrieval-augmented generation (RAG) pipelines, the metadata values are often derived from upstream agent or user inputs, expanding the practical attack surface.
Root Cause
The root cause is unsafe string interpolation when constructing SQL statements. The delete_by_metadata() implementation uses f-strings to embed metadata keys and values into the query rather than passing them as bound parameters through the ClickHouse client. This pattern matches the classic CWE-89 anti-pattern of mixing code and data in the same string.
Attack Vector
Exploitation occurs over the network against any application that exposes the agno vector store deletion functionality to attacker-controlled metadata. The attacker submits crafted metadata keys or values containing SQL meta-characters and clauses. The injected payload alters the DELETE statement structure, enabling unauthorized data destruction, selective row removal, or inference-based data exfiltration through error-based or blind techniques.
The vulnerability mechanism is described in detail in the VulnCheck SQL Injection Advisory and the upstream GitHub Issue Report.
Detection Methods for CVE-2026-10105
Indicators of Compromise
- Unexpected DELETE statements in ClickHouse query logs referencing the agno vector table with non-literal WHERE clauses.
- Metadata key or value fields containing SQL syntax such as single quotes, OR 1=1, UNION, comment sequences, or ClickHouse functions like sleep().
- Sudden drops in vector store row counts or missing embedding records.
- ClickHouse error log entries tied to malformed DELETE queries originating from the agno service account.
Detection Strategies
- Enable ClickHouse query_log and alert on DELETE statements against agno-managed tables that contain suspicious operators or function calls in the WHERE clause.
- Instrument the agno application layer to log all metadata keys and values passed to delete_by_metadata() and flag entries that contain quote characters or SQL keywords.
- Run static analysis (for example, Semgrep or CodeQL rules) for f-string SQL construction patterns in any forked or vendored copies of clickhousedb.py.
Monitoring Recommendations
- Forward ClickHouse audit and query logs to a centralized analytics platform to correlate anomalous deletion activity with upstream agent inputs.
- Baseline normal deletion volume per tenant or per agent and alert on deviations.
- Monitor for repeated failed queries indicative of blind SQL injection probing, including time-based payloads.
How to Mitigate CVE-2026-10105
Immediate Actions Required
- Identify all deployments running agno 2.6.5 with the ClickHouse vector backend and restrict network access to trusted callers only.
- Disable or gate the delete_by_metadata() code path until a patched release is deployed.
- Audit ClickHouse query logs for prior exploitation attempts and validate vector store integrity.
- Rotate any credentials used by the agno service account against ClickHouse if compromise is suspected.
Patch Information
Upstream remediation is tracked in the agno repository. Review the GitHub Pull Request and the associated Pull Request Changes for the fix that replaces unsafe f-string interpolation with safe parameter binding. Upgrade to the fixed version once released by the agno maintainers.
Workarounds
- Wrap delete_by_metadata() calls with an allowlist that restricts metadata keys to a known schema and rejects values containing SQL meta-characters.
- Run the agno ClickHouse user with the least privileges necessary, removing DROP and broad DELETE permissions where possible.
- Place the agno service behind authenticated APIs and validate all upstream metadata inputs before passing them to the vector store layer.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
