{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/anyquery/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Anyquery (\u003c 0.4.5)"],"_cs_severities":["high"],"_cs_tags":["ssrf","vulnerability","anyquery","local-file-read","linux","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAnyquery, a tool for querying various data sources, contains a critical Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-54628, in its \u003ccode\u003eserver\u003c/code\u003e mode. When \u003ccode\u003eanyquery server\u003c/code\u003e is launched, it exposes a MySQL-compatible interface. Versions prior to 0.4.5 allow unauthenticated attackers to create dynamic virtual tables using modules such as \u003ccode\u003ejson_reader\u003c/code\u003e or \u003ccode\u003elog_reader\u003c/code\u003e. These modules leverage \u003ccode\u003ego-getter\u003c/code\u003e to fetch URLs without restricting access to local (127.0.0.0/8), private (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), or cloud metadata (169.254.169.254) IP addresses. This allows attackers to bypass network segmentation, scan internal ports, interact with internal APIs, and exfiltrate cloud credentials (e.g., AWS IAM tokens) from the underlying host. The vulnerability poses a significant risk to the confidentiality of internal network data and cloud environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker initiates a MySQL client connection to the vulnerable Anyquery server running in \u003ccode\u003eserver\u003c/code\u003e mode (e.g., \u003ccode\u003eanyquery server --host 0.0.0.0 --port 8070\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a crafted \u003ccode\u003eCREATE VIRTUAL TABLE\u003c/code\u003e SQL statement using an unrestricted virtual table module like \u003ccode\u003elog_reader\u003c/code\u003e or \u003ccode\u003ejson_reader\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCREATE VIRTUAL TABLE\u003c/code\u003e statement includes a maliciously crafted URL pointing to an internal resource, such as \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e for AWS credentials or \u003ccode\u003ehttp://localhost:8000/admin\u003c/code\u003e for an internal web application.\u003c/li\u003e\n\u003cli\u003eThe Anyquery server, via its internal \u003ccode\u003ego-getter\u003c/code\u003e library, performs an unconstrained HTTP GET request from the server's context to the specified internal or metadata URL.\u003c/li\u003e\n\u003cli\u003eThe Anyquery server receives the HTTP response containing potentially sensitive data from the internal resource.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a \u003ccode\u003eSELECT * FROM \u0026lt;virtual_table_name\u0026gt;\u003c/code\u003e query against the newly created virtual table.\u003c/li\u003e\n\u003cli\u003eAnyquery returns the fetched HTTP response content directly as rows within the SQL query result.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully retrieves and exfiltrates sensitive information, such as cloud IAM credentials, internal API responses, or details of the internal network architecture.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-54628 in Anyquery's \u003ccode\u003eserver\u003c/code\u003e mode leads to a high confidentiality impact. Attackers can exfiltrate sensitive internal network data, such as responses from internal REST APIs, and critical cloud credentials (e.g., AWS IAM tokens from metadata services), bypassing external firewall restrictions. This enables unauthorized access to other internal systems and cloud resources. While the integrity impact is rated as low (due to potential interaction with state-changing internal APIs), the primary concern is the unconstrained access to confidential information. The vulnerability has a CVSSv3.1 score of 8.6 (High).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-54628 by upgrading Anyquery to version 0.4.5 or later immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious outbound network connections.\u003c/li\u003e\n\u003cli\u003eEnable network connection logging for the \u003ccode\u003eanyquery\u003c/code\u003e process to detect attempts to connect to internal or metadata IP addresses.\u003c/li\u003e\n\u003cli\u003eMonitor your DNS and proxy logs for \u003ccode\u003eanyquery\u003c/code\u003e process activity connecting to \u003ccode\u003e169.254.169.254\u003c/code\u003e (AWS metadata service) and other cloud metadata IPs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T20:51:08Z","date_published":"2026-07-14T20:39:43Z","id":"https://feed.craftedsignal.io/briefs/2026-07-anyquery-ssrf/","summary":"Unauthenticated attackers can exploit a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-54628) in Anyquery's `server` mode (versions prior to 0.4.5) by creating SQLite virtual tables that fetch internal network resources or cloud metadata, leading to internal network mapping and exfiltration of sensitive information like cloud credentials.","title":"Anyquery Server-Side Request Forgery via Unrestricted SQLite Virtual Table Modules","url":"https://feed.craftedsignal.io/briefs/2026-07-anyquery-ssrf/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Anyquery ( \u003c 0.4.5)"],"_cs_severities":["critical"],"_cs_tags":["arbitrary-file-write","rce","anyquery","sqlite","server-mode","vulnerability"],"_cs_type":"advisory","_cs_vendors":["julien040"],"content_html":"\u003cp\u003eA critical vulnerability (CVE-2026-50006) has been identified in Anyquery versions prior to 0.4.5, specifically when the application is operating in \u003ccode\u003eserver\u003c/code\u003e mode. Unauthenticated attackers can leverage this flaw by connecting to the exposed MySQL-compatible server port. The vulnerability stems from Anyquery's failure to restrict SQLite's \u003ccode\u003eATTACH DATABASE\u003c/code\u003e command, allowing adversaries to write arbitrary files to the underlying filesystem. This Arbitrary File Write (AFW) can be exploited to achieve Remote Code Execution (RCE) by dropping malicious files such as PHP web shells into web server directories or injecting cronjob entries into system directories like \u003ccode\u003e/etc/cron.d\u003c/code\u003e. This means an attacker can gain control over the affected system with the privileges of the running Anyquery process, posing a severe threat to data integrity and system availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker connects to the exposed Anyquery MySQL-compatible server port (e.g., 8070).\u003c/li\u003e\n\u003cli\u003eThe attacker executes an \u003ccode\u003eATTACH DATABASE\u003c/code\u003e SQL command to specify a new SQLite database file and a sensitive target path on the victim's filesystem (e.g., \u003ccode\u003e/etc/cron.d/pwn\u003c/code\u003e or \u003ccode\u003e/var/www/html/shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker creates a table within the newly attached database using \u003ccode\u003eCREATE TABLE\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious payload (e.g., a reverse shell command for a cronjob, or PHP \u003ccode\u003esystem()\u003c/code\u003e function for a web shell) into the table using an \u003ccode\u003eINSERT INTO\u003c/code\u003e SQL command.\u003c/li\u003e\n\u003cli\u003eAnyquery writes the SQLite database file containing the malicious payload to the specified sensitive path.\u003c/li\u003e\n\u003cli\u003eA system service (e.g., cron daemon, web server) attempts to process the newly created file, ignoring the SQLite binary header and parsing the valid injected malicious code.\u003c/li\u003e\n\u003cli\u003eThe malicious code (e.g., reverse shell, web shell commands) is executed with the privileges of the Anyquery process, leading to Remote Code Execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability carries a CVSS score of 9.1 (Critical), indicating high severity. If exploited, the integrity of the affected system is severely compromised as arbitrary files can be written or overwritten, potentially corrupting critical system data. Availability is also highly impacted, as overwriting essential system files or configurations can lead to a complete Denial of Service (DoS). When Anyquery runs with elevated privileges (e.g., as root) or can write to critical directories like web roots or cronjob folders, the AFW escalates directly to Remote Code Execution (RCE) with a CVSS score of 9.8 (Critical), allowing full system compromise, persistence, and potential privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-50006 by upgrading Anyquery to version 0.4.5 or later immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious file creations by the \u003ccode\u003eanyquery\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eEnable \u003ccode\u003efile_event\u003c/code\u003e logging for Linux endpoints to capture file creations in sensitive directories like \u003ccode\u003e/etc/cron.d/\u003c/code\u003e and \u003ccode\u003e/var/www/html/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable \u003ccode\u003eprocess_creation\u003c/code\u003e logging to monitor for suspicious \u003ccode\u003eanyquery\u003c/code\u003e process command-line arguments, especially \u003ccode\u003e--host 0.0.0.0\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T19:16:28Z","date_published":"2026-07-14T19:16:28Z","id":"https://feed.craftedsignal.io/briefs/2026-07-anyquery-afw-rce/","summary":"Anyquery in server mode is vulnerable to arbitrary file write (AFW) due to its failure to restrict native SQLite disk manipulation commands like `ATTACH DATABASE`. Unauthenticated attackers can connect to the MySQL-compatible server port and write arbitrary files (e.g., PHP webshells, malicious cronjobs) to any path writable by the Anyquery process, which can lead to remote code execution (RCE) with the privileges of the Anyquery process, significantly impacting system integrity and availability.","title":"Anyquery Arbitrary File Write (AFW) Leads to Remote Code Execution (RCE)","url":"https://feed.craftedsignal.io/briefs/2026-07-anyquery-afw-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Anyquery","version":"https://jsonfeed.org/version/1.1"}