Vanna AI Vanna Missing Authentication Vulnerability in Chat API Endpoint

A critical vulnerability exists in Vanna AI's Vanna application, specifically in versions through 2.0.2. The issue arises from a complete lack of authentication for several Chat API endpoints, including chat_poll, chat_sse, and chat_websocket. This absence of authentication allows unauthenticated attackers to remotely send requests and execute arbitrary natural language queries against any connected database, potentially exploiting the vulnerability to access or manipulate sensitive information.

Impact

The vulnerability allows unauthenticated access to database resources through the Chat API, enabling attackers to execute arbitrary queries. This could lead to unauthorized data access or manipulation, depending on the nature of the queried database and its contents. Additionally, the lack of authentication could allow for abuse of connected LLM resources, consuming API tokens and potentially incurring costs or depleting usage limits.

Reproduction

To reproduce this vulnerability, install Vanna version 2.0.2 with FastAPI support. Start the server with the default configuration, which will listen on http://0.0.0.0:8000. Once the server is running, send a POST request to the /api/vanna/v2/chat_poll endpoint without any authentication headers. The server will respond with a 200 OK status, indicating that the request was processed successfully. This step can be repeated with the /api/vanna/v2/chat_sse endpoint, which also accepts requests without authentication.

Remediation

No known mitigation is available for this vulnerability.