Auth bypass in Vanna-ai Vanna
CVE-2026-6977
A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attac…
EPSS: 0.001 (17.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L.
Affected products
- Vanna-ai Vanna — versions 2.0.0, 2.0.1, 2.0.2
Weakness classification (CWE)
References
- VDB-359520 | vanna-ai vanna Legacy Flask API improper authorization (vdb-entry)
- VDB-359520 | CTI Indicators (IOB, IOC, TTP) (signature, permissions-required)
- Submit #795331 | vanna-ai vanna 2.0.2 Unauthorized access to all API endpoints (third-party-advisory)
- cna@vuldb.com (issue-tracking, exploit)
Frequently asked questions
- What is CVE-2026-6977?
- CVE-2026-6977 is a high-severity vulnerability in Vanna-ai Vanna, classified under Incorrect Privilege Assignment. CVSS score: 7.3/10. Published 2026-04-25.
- How severe is CVE-2026-6977?
- High severity. CVSS v3 base score is 7.3 out of 10.