<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>File-Read-Write - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/file-read-write/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:09:54 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/file-read-write/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unauthenticated SQL Execution Vulnerability in Recce OSS Server (CVE-2026-49360)</title><link>https://feed.craftedsignal.io/briefs/2026-07-recce-unauthenticated-sql-rce/</link><pubDate>Fri, 03 Jul 2026 11:09:54 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-recce-unauthenticated-sql-rce/</guid><description>Recce OSS server deployments are vulnerable to unauthenticated SQL execution via the query run API when configured with a DuckDB-backed project, allowing attackers to use DuckDB filesystem primitives to read and write arbitrary files accessible to the server process, potentially leading to data disclosure, tampering, or stored XSS.</description><content:encoded><![CDATA[<p>A critical unauthenticated SQL execution vulnerability, identified as CVE-2026-49360, has been discovered in Recce OSS server versions up to <code>v1.49.0</code>. This flaw specifically affects deployments where the Recce server is exposed to an untrusted network without authentication and is configured to use a DuckDB-backed project. Exploitation allows an attacker to leverage DuckDB filesystem primitives through the <code>query run API</code> to perform arbitrary local file read and write operations on the server. The implications are significant, ranging from sensitive data disclosure and tampering with Recce/dbt artifacts to potential stored Cross-Site Scripting (XSS) via modification of browser-served static files. The severity of impact is heightened if Recce is running with elevated privileges (e.g., as root), as file access would occur with corresponding permissions. The vulnerability was responsibly reported by Sitampan (@hxcbtc) and patched in Recce <code>v1.50.0</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a vulnerable Recce OSS server (<code>&lt;= v1.49.0</code>) exposed to an untrusted network.</li>
<li>The attacker sends a specially crafted HTTP request to the Recce server's <code>query run API</code> endpoint.</li>
<li>The request payload contains SQL commands leveraging DuckDB syntax and filesystem primitives, bypassing authentication.</li>
<li>The Recce server, running with a DuckDB-backed project, processes the malicious SQL query.</li>
<li>The embedded DuckDB filesystem functions (e.g., <code>READ_CSV</code>, <code>COPY</code>) are executed to access the server's local file system.</li>
<li>The attacker reads sensitive local files (e.g., <code>/etc/passwd</code>, database credentials, application configuration).</li>
<li>Alternatively, the attacker writes malicious content to server-accessible paths (e.g., modifying static files for stored XSS or corrupting application files).</li>
<li>Successful exploitation leads to data exfiltration, system compromise, or persistent defacement, with potential root privileges if the Recce process is running as root.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The observed impact of this vulnerability depends heavily on the Recce server's deployment configuration. Attackers can achieve unauthorized disclosure of local files, potentially exposing sensitive data, configuration files, or credentials accessible to the Recce server process. Tampering with Recce or dbt artifacts could lead to data integrity issues or supply chain attacks. Modification of browser-served static files might result in stored Cross-Site Scripting (XSS), affecting users interacting with the Recce interface. Furthermore, if application files themselves are writable, attackers could modify core application logic. If the Recce server is running with root privileges (a misconfiguration), the file access can occur with full root capabilities, leading to complete host or container compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-49360 immediately</strong>: Upgrade all Recce server deployments to <code>v1.50.0</code> or later, as specified in the patches section of the advisory.</li>
<li><strong>Implement network access controls</strong>: Ensure <code>recce server</code> is not exposed to the public internet or any untrusted network, as mentioned in the workarounds section.</li>
<li><strong>Deploy behind an authenticated proxy</strong>: Place Recce behind an authenticated reverse proxy or VPN to enforce access control, as suggested in the workarounds section.</li>
<li><strong>Enforce least privilege</strong>: Run the Recce server process as a non-root user to limit the scope of file access in case of compromise, as advised in the workarounds section.</li>
<li><strong>Restrict file system access</strong>: Configure the application's filesystem as read-only where possible, and ensure sensitive files or credentials are not accessible to the Recce process.</li>
<li><strong>Deploy the Sigma rule below</strong>: Use the provided <code>Detect CVE-2026-49360 Exploitation - Recce DuckDB File Operations</code> rule in your SIEM to identify attempts to exploit this vulnerability.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-vulnerability</category><category>sql-injection</category><category>file-read-write</category><category>rce</category><category>data-exfiltration</category><category>recce</category></item></channel></rss>