MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload …

CVE-2025-68472 is an unauthenticated path traversal vulnerability in MindsDB's file upload API that allows attackers to read arbitrary files from the server filesystem. The vulnerability exists in the PUT handler in file.py which directly joins user-controlled data into filesystem paths for JSON uploads without proper sanitization. Only multipart and URL-sourced uploads receive proper validation through clear_filename checks, while JSON uploads bypass these security measures entirely. This allows any unauthenticated caller to access sensitive data by moving arbitrary server files into MindsDB's storage. The vulnerability affects all versions prior to 25.11.1 and has been patched in the latest release.