Full Report
Missing Authentication for Critical Function vulnerability (CVE-2026-8335) has been found in Aix-DB software.
Analysis Summary
# Vulnerability: Missing Authentication in Aix-DB `/llm/process_llm_out` Endpoint
## CVE Details
- **CVE ID:** CVE-2026-8335
- **CVSS Score:** Not explicitly listed in source (Estimated: 7.5 - 8.6 based on unauthenticated data exfiltration)
- **CWE:** CWE-306 (Missing Authentication for Critical Function)
## Affected Systems
- **Products:** Aix-DB
- **Versions:** All versions through 1.2.4
- **Configurations:** Systems utilizing the LLM processing functionality via the `/llm/process_llm_out` endpoint.
## Vulnerability Description
Aix-DB suffers from a missing authentication check on a specific API endpoint: `/llm/process_llm_out`. While most application endpoints enforce token validation, this specific path does not. As a result, an unauthenticated attacker can send crafted requests to this endpoint to execute arbitrary `SELECT` SQL queries. This allows for the unauthorized retrieval of data from the underlying database.
## Exploitation
- **Status:** Reported via Coordinated Vulnerability Disclosure (CVD); no confirmed reports of exploitation in the wild mentioned.
- **Complexity:** Low (Lacks authentication enforcement)
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Allows unauthorized retrieval of database data and arbitrary `SELECT` queries)
- **Integrity:** None (Vulnerability limited to `SELECT` queries)
- **Availability:** None reported (Potential for resource exhaustion via heavy queries)
## Remediation
### Patches
- **No Path Available:** As of the publication date (June 10, 2026), the vendor has not addressed the vulnerability. All versions up to 1.2.4 remain vulnerable.
### Workarounds
- **Network Filtering:** Restrict access to the `/llm/process_llm_out` endpoint at the firewall, WAF, or reverse-proxy level to known/trusted IP addresses only.
- **Web Application Firewall (WAF):** Implement rules to block requests to `/llm/process_llm_out` that do not contain valid authorization headers, or block the endpoint entirely if LLM features are not in use.
## Detection
- **Indicators of Compromise:** Review web server logs for unexpected `POST` or `GET` requests to the `/llm/process_llm_out` endpoint originating from unauthorized or external IP addresses.
- **Database Auditing:** Monitor database logs for unusual `SELECT` queries executed by the application service account that do not correlate with legitimate user activity.
## References
- **CERT Polska Advisory:** hxxps[://]cert[.]pl/en/posts/2026/06/vulnerability-in-aix-db/
- **CVE Record:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-8335
- **CWE-306 Definition:** hxxps[://]cwe[.]mitre[.]org/data/definitions/306[.]html