{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/anyquery--0.4.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Anyquery (\u003c 0.4.5)"],"_cs_severities":["high"],"_cs_tags":["ssrf","vulnerability","anyquery","local-file-read","linux","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAnyquery, a tool for querying various data sources, contains a critical Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-54628, in its \u003ccode\u003eserver\u003c/code\u003e mode. When \u003ccode\u003eanyquery server\u003c/code\u003e is launched, it exposes a MySQL-compatible interface. Versions prior to 0.4.5 allow unauthenticated attackers to create dynamic virtual tables using modules such as \u003ccode\u003ejson_reader\u003c/code\u003e or \u003ccode\u003elog_reader\u003c/code\u003e. These modules leverage \u003ccode\u003ego-getter\u003c/code\u003e to fetch URLs without restricting access to local (127.0.0.0/8), private (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), or cloud metadata (169.254.169.254) IP addresses. This allows attackers to bypass network segmentation, scan internal ports, interact with internal APIs, and exfiltrate cloud credentials (e.g., AWS IAM tokens) from the underlying host. The vulnerability poses a significant risk to the confidentiality of internal network data and cloud environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker initiates a MySQL client connection to the vulnerable Anyquery server running in \u003ccode\u003eserver\u003c/code\u003e mode (e.g., \u003ccode\u003eanyquery server --host 0.0.0.0 --port 8070\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a crafted \u003ccode\u003eCREATE VIRTUAL TABLE\u003c/code\u003e SQL statement using an unrestricted virtual table module like \u003ccode\u003elog_reader\u003c/code\u003e or \u003ccode\u003ejson_reader\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCREATE VIRTUAL TABLE\u003c/code\u003e statement includes a maliciously crafted URL pointing to an internal resource, such as \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e for AWS credentials or \u003ccode\u003ehttp://localhost:8000/admin\u003c/code\u003e for an internal web application.\u003c/li\u003e\n\u003cli\u003eThe Anyquery server, via its internal \u003ccode\u003ego-getter\u003c/code\u003e library, performs an unconstrained HTTP GET request from the server's context to the specified internal or metadata URL.\u003c/li\u003e\n\u003cli\u003eThe Anyquery server receives the HTTP response containing potentially sensitive data from the internal resource.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a \u003ccode\u003eSELECT * FROM \u0026lt;virtual_table_name\u0026gt;\u003c/code\u003e query against the newly created virtual table.\u003c/li\u003e\n\u003cli\u003eAnyquery returns the fetched HTTP response content directly as rows within the SQL query result.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully retrieves and exfiltrates sensitive information, such as cloud IAM credentials, internal API responses, or details of the internal network architecture.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-54628 in Anyquery's \u003ccode\u003eserver\u003c/code\u003e mode leads to a high confidentiality impact. Attackers can exfiltrate sensitive internal network data, such as responses from internal REST APIs, and critical cloud credentials (e.g., AWS IAM tokens from metadata services), bypassing external firewall restrictions. This enables unauthorized access to other internal systems and cloud resources. While the integrity impact is rated as low (due to potential interaction with state-changing internal APIs), the primary concern is the unconstrained access to confidential information. The vulnerability has a CVSSv3.1 score of 8.6 (High).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-54628 by upgrading Anyquery to version 0.4.5 or later immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious outbound network connections.\u003c/li\u003e\n\u003cli\u003eEnable network connection logging for the \u003ccode\u003eanyquery\u003c/code\u003e process to detect attempts to connect to internal or metadata IP addresses.\u003c/li\u003e\n\u003cli\u003eMonitor your DNS and proxy logs for \u003ccode\u003eanyquery\u003c/code\u003e process activity connecting to \u003ccode\u003e169.254.169.254\u003c/code\u003e (AWS metadata service) and other cloud metadata IPs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T20:51:08Z","date_published":"2026-07-14T20:39:43Z","id":"https://feed.craftedsignal.io/briefs/2026-07-anyquery-ssrf/","summary":"Unauthenticated attackers can exploit a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-54628) in Anyquery's `server` mode (versions prior to 0.4.5) by creating SQLite virtual tables that fetch internal network resources or cloud metadata, leading to internal network mapping and exfiltration of sensitive information like cloud credentials.","title":"Anyquery Server-Side Request Forgery via Unrestricted SQLite Virtual Table Modules","url":"https://feed.craftedsignal.io/briefs/2026-07-anyquery-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Anyquery (\u003c 0.4.5)","version":"https://jsonfeed.org/version/1.1"}