{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/recce--1.49.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["recce (\u003c= 1.49.0)"],"_cs_severities":["high"],"_cs_tags":["web-vulnerability","sql-injection","file-read-write","rce","data-exfiltration","recce"],"_cs_type":"advisory","_cs_vendors":["Recce"],"content_html":"\u003cp\u003eA critical unauthenticated SQL execution vulnerability, identified as CVE-2026-49360, has been discovered in Recce OSS server versions up to \u003ccode\u003ev1.49.0\u003c/code\u003e. This flaw specifically affects deployments where the Recce server is exposed to an untrusted network without authentication and is configured to use a DuckDB-backed project. Exploitation allows an attacker to leverage DuckDB filesystem primitives through the \u003ccode\u003equery run API\u003c/code\u003e to perform arbitrary local file read and write operations on the server. The implications are significant, ranging from sensitive data disclosure and tampering with Recce/dbt artifacts to potential stored Cross-Site Scripting (XSS) via modification of browser-served static files. The severity of impact is heightened if Recce is running with elevated privileges (e.g., as root), as file access would occur with corresponding permissions. The vulnerability was responsibly reported by Sitampan (@hxcbtc) and patched in Recce \u003ccode\u003ev1.50.0\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable Recce OSS server (\u003ccode\u003e\u0026lt;= v1.49.0\u003c/code\u003e) exposed to an untrusted network.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a specially crafted HTTP request to the Recce server's \u003ccode\u003equery run API\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request payload contains SQL commands leveraging DuckDB syntax and filesystem primitives, bypassing authentication.\u003c/li\u003e\n\u003cli\u003eThe Recce server, running with a DuckDB-backed project, processes the malicious SQL query.\u003c/li\u003e\n\u003cli\u003eThe embedded DuckDB filesystem functions (e.g., \u003ccode\u003eREAD_CSV\u003c/code\u003e, \u003ccode\u003eCOPY\u003c/code\u003e) are executed to access the server's local file system.\u003c/li\u003e\n\u003cli\u003eThe attacker reads sensitive local files (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e, database credentials, application configuration).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker writes malicious content to server-accessible paths (e.g., modifying static files for stored XSS or corrupting application files).\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to data exfiltration, system compromise, or persistent defacement, with potential root privileges if the Recce process is running as root.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe observed impact of this vulnerability depends heavily on the Recce server's deployment configuration. Attackers can achieve unauthorized disclosure of local files, potentially exposing sensitive data, configuration files, or credentials accessible to the Recce server process. Tampering with Recce or dbt artifacts could lead to data integrity issues or supply chain attacks. Modification of browser-served static files might result in stored Cross-Site Scripting (XSS), affecting users interacting with the Recce interface. Furthermore, if application files themselves are writable, attackers could modify core application logic. If the Recce server is running with root privileges (a misconfiguration), the file access can occur with full root capabilities, leading to complete host or container compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-49360 immediately\u003c/strong\u003e: Upgrade all Recce server deployments to \u003ccode\u003ev1.50.0\u003c/code\u003e or later, as specified in the patches section of the advisory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement network access controls\u003c/strong\u003e: Ensure \u003ccode\u003erecce server\u003c/code\u003e is not exposed to the public internet or any untrusted network, as mentioned in the workarounds section.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy behind an authenticated proxy\u003c/strong\u003e: Place Recce behind an authenticated reverse proxy or VPN to enforce access control, as suggested in the workarounds section.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnforce least privilege\u003c/strong\u003e: Run the Recce server process as a non-root user to limit the scope of file access in case of compromise, as advised in the workarounds section.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRestrict file system access\u003c/strong\u003e: Configure the application's filesystem as read-only where possible, and ensure sensitive files or credentials are not accessible to the Recce process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rule below\u003c/strong\u003e: Use the provided \u003ccode\u003eDetect CVE-2026-49360 Exploitation - Recce DuckDB File Operations\u003c/code\u003e rule in your SIEM to identify attempts to exploit this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:09:54Z","date_published":"2026-07-03T11:09:54Z","id":"https://feed.craftedsignal.io/briefs/2026-07-recce-unauthenticated-sql-rce/","summary":"Recce OSS server deployments are vulnerable to unauthenticated SQL execution via the query run API when configured with a DuckDB-backed project, allowing attackers to use DuckDB filesystem primitives to read and write arbitrary files accessible to the server process, potentially leading to data disclosure, tampering, or stored XSS.","title":"Unauthenticated SQL Execution Vulnerability in Recce OSS Server (CVE-2026-49360)","url":"https://feed.craftedsignal.io/briefs/2026-07-recce-unauthenticated-sql-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Recce (\u003c= 1.49.0)","version":"https://jsonfeed.org/version/1.1"}