CVE-2026-25628

Published: Feb 6, 2026Modified: Feb 19, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append to arbitrary files via /logger endpoint using an attacker-controlled on_disk.log_file path. Minimal privileges are required (read-only access). This vulnerability is fixed in 1.16.0.

Affected (1)

Products: Qdrant: Qdrant

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Qdrant Qdrant	From 1.9.3 to 1.16.0

Related CWEs

External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

References (3)

https://github.com/qdrant/qdrant/blob/48203e414e4e7f639a6d394fb6e4df695f808e51/src/actix/api/service_api.rs#L195

Source: security-advisories@github.com

Product

https://github.com/qdrant/qdrant/commit/32b7fdfb7f542624ecd1f7c8d3e2b13c4e36a2c1

Source: security-advisories@github.com

Patch

https://github.com/qdrant/qdrant/security/advisories/GHSA-f632-vm87-2m2f

Source: security-advisories@github.com

ExploitMitigationVendor Advisory

Timeline

No history available yet.