CVE-2026-28438 is an SQL injection vulnerability classified under CWE-89 found in the Doris target connector component of the CocoIndex framework, a data transformation tool used in AI workflows. Prior to version 0.3.34, the Doris connector fails to properly sanitize or validate the table name parameter before incorporating it into ALTER TABLE SQL commands. Since the table name can be supplied by an untrusted upstream source, this improper neutralization of special SQL elements allows an attacker to inject arbitrary SQL code. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 base score is 6.9 (medium), reflecting the network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact is primarily on data integrity, as the injected SQL could alter database schema or data. Confidentiality and availability impacts are not indicated. No known exploits are currently reported in the wild. The vulnerability was publicly disclosed and patched in version 0.3.34 of CocoIndex. This flaw highlights the critical need for input validation and sanitization in components that construct dynamic SQL statements, especially when inputs originate from untrusted sources.

If exploited, this vulnerability could allow attackers to execute arbitrary SQL commands on the backend database used by the Doris target connector in CocoIndex. This could lead to unauthorized modification of database schema or data, potentially corrupting AI data transformation workflows or causing erroneous outputs. While confidentiality and availability impacts appear limited, the integrity of critical AI data pipelines could be compromised, affecting downstream AI model training and decision-making processes. Organizations relying on CocoIndex for AI data transformations may face operational disruptions or data integrity issues. The ease of exploitation (no authentication or user interaction required) increases the risk, especially in environments where untrusted inputs can reach the vulnerable component. However, the absence of known exploits in the wild suggests limited active targeting at present.

The primary mitigation is to upgrade CocoIndex to version 0.3.34 or later, where the vulnerability has been patched. Until upgrade is possible, organizations should implement strict input validation and sanitization on all table name parameters, ensuring they conform to expected naming conventions and reject any suspicious characters or patterns that could enable SQL injection. Employing parameterized queries or prepared statements for all SQL commands, including schema alterations, can prevent injection attacks. Network-level controls should restrict access to the Doris target connector to trusted sources only. Monitoring and logging of SQL commands and schema changes can help detect suspicious activity. Additionally, conducting regular security code reviews and penetration testing focused on injection flaws in data transformation components is recommended to prevent similar issues.