Skip to content
Threat Feed
critical advisory

DbGate Unauthenticated Remote Code Execution via JSON Script Runner (CVE-2026-47668)

CVE-2026-47668 is a critical remote code execution vulnerability affecting DbGate versions 7.1.8 and earlier in the JSON Script Runner component where user-controlled fields are concatenated into dynamically generated JavaScript without adequate validation, allowing arbitrary code execution, and an attacker may obtain a Bearer token and reach the vulnerable endpoint without valid credentials leading to full server compromise; upgrade to DbGate 7.1.9+ immediately to remediate the vulnerability.

A public exploit has been released for CVE-2026-47668, a critical remote code execution vulnerability in DbGate’s JSON Script Runner. DbGate versions 7.1.8 and earlier are vulnerable. The vulnerability arises from the concatenation of user-controlled fields like functionName and variableName into dynamically generated JavaScript without proper validation. This allows attackers to inject arbitrary code into the Node.js child process that runs runner scripts. In deployments with anonymous or default authentication, an attacker can obtain a Bearer token via POST /auth/login and then exploit the vulnerability via POST /runners/start without valid credentials. Successful exploitation leads to full server compromise at the privilege level of the DbGate process. Defenders should upgrade to DbGate 7.1.9+ immediately.

Attack Chain

  1. The attacker identifies a vulnerable DbGate instance running a version 7.1.8 or earlier.
  2. The attacker sends a POST request to /auth/login with a default amoid value to obtain a Bearer token.
  3. The server returns a Bearer token to the attacker.
  4. The attacker crafts a malicious POST request to the /runners/start endpoint.
  5. The malicious request contains a JSON payload with injected code in the functionName or variableName fields within the assign command.
  6. The server concatenates the attacker-controlled input into dynamically generated JavaScript.
  7. The server executes the injected code within a Node.js child process, allowing the attacker to execute arbitrary OS commands.
  8. The attacker achieves remote code execution on the server with the privileges of the DbGate process.

Impact

Successful exploitation of CVE-2026-47668 can lead to arbitrary OS command execution, potentially enabling credential and file access, malware deployment, lateral movement, and denial of service. The business impact includes data theft, host takeover, ransomware deployment, credential compromise, and service disruption. Since no victim counts are given, assume all users of vulnerable versions are potentially affected.

Recommendation

  • Upgrade to DbGate version 7.1.9 or later immediately to patch CVE-2026-47668.
  • Monitor web server logs for POST requests to /auth/login followed by POST requests to /runners/start with unusual JSON payloads as described in the overview.
  • Deploy the Sigma rules provided below to detect exploitation attempts targeting CVE-2026-47668.

Detection coverage 2

Detects CVE-2026-47668 Exploitation — POST to /runners/start with Command Injection

high

Detects CVE-2026-47668 exploitation — HTTP POST to /runners/start with shell metacharacters in the request body, indicating command injection attempt.

sigma tactics: execution techniques: T1202 sources: webserver

Detects CVE-2026-47668 Exploitation — Suspicious POST to /auth/login followed by /runners/start

medium

Detects CVE-2026-47668 exploitation — HTTP POST to /auth/login followed shortly by POST to /runners/start, indicating potential authentication bypass and exploitation attempt.

sigma tactics: initial_access techniques: T1550.002 sources: webserver

Detection queries are available on the platform. Get full rules →