HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48017Published Modified CNA GitHub_M

CVE-2026-48017: DbGate: Remote Code Execution via functionName injection in loadReader endpoint

DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction. An authenticated user with basic access (no admin role, no run-shell-script permission required) can: execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process, read/write any file accessible to the process, pivot to connected databases by reading connection credentials from DbGate's storage, and compromise the host system - in Docker deployments, this typically means root access within the container.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Remote code execution via JavaScript injection in DbGate, a cross-platform database manager. The POST /runners/load-reader endpoint accepts a functionName parameter that is interpolated directly into a JavaScript code template without sanitization, reachable over the network by any authenticated user with basic access. Successful exploitation gives the attacker full code execution on the server, arbitrary file read/write, access to stored database credentials, and in Docker environments typically root access within the container. No patched version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that package DbGate. Any image containing an affected version of dbgate/dbgate prior to 7.1.9 is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 8.8 HIGH using the published v3.1 vector and can weight that score against each customer organization's compliance policy to surface it to the appropriate team inbox. Per-environment severity overrides and routing rules apply as configured.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version appears upstream. In the interim, customers with network-isolation policies or compensating-control rules can apply those through HarborGuard's policy engine to reduce exposure while the patch is pending.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to reach the DbGate HTTP service to send the malicious POST request.

  • AuthenticationRequired

    Any low-privilege account is sufficient; no admin role or special permission is needed, just a valid authenticated session.

  • Victim interactionNot required

    The attacker sends a crafted HTTP request directly; no action is required from another user or administrator.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free; the payload is injected directly into an unsanitized template parameter with no race conditions or environmental dependencies.

Blast Radius

  • Executes arbitrary OS commands on the DbGate server with the privileges of the Node.js process.
  • Reads and writes any file accessible to that process, including configuration files and secrets stored on disk.
  • Reads stored database connection credentials from DbGate's internal storage, enabling pivot attacks against every connected database.
  • In Docker deployments, typically achieves root access within the container, with further escalation potential depending on container configuration.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against all customer images as soon as it enters the advisory feed, with no manual import step required. Because no upstream fix exists for DbGate at this time, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available, and open a PR against affected workloads for customers with auto-remediation enabled, the moment a fix version is published. While waiting for an upstream patch, customers can use HarborGuard's policy engine to apply compensating controls: network-policy isolation to restrict inbound access to the DbGate HTTP port, egress filtering to limit the Node.js process's outbound reach, and alert-on-deploy rules to block new deployments of affected image versions into production environments.

See how HarborGuard automates this
Affected packages
  • dbgate / dbgate
    < 7.1.9
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References