Back

CVE-2026-47668: Unauthenticated RCE Vulnerability in DbGate

Severity: Critical (Score: 86.0)

Sources: Advisories.Gitlab, Endorlabs

Published: 2026-06-07 · Updated: 2026-06-07

Keywords: code, json, script, dbgate, remote, execution, runner

Severity indicators: remote code execution, ot, CVE:CVE-2026-47668, CVE:CVE-2026-47668

Summary

DbGate's JSON script runner has a critical vulnerability (CVE-2026-47668) that allows unauthenticated remote code execution via the functionName parameter in JSON script assign commands. The vulnerability arises from direct string concatenation of user-controlled values into dynamically generated JavaScript code, which is executed in a forked Node.js child process. The flaw affects systems using the default deployment settings, where authentication is disabled, allowing attackers to exploit the vulnerability without credentials. If exploited, attackers gain full Node.js runtime access, including built-in modules. The CVSS score for this vulnerability is 10.0, indicating a critical risk. Organizations using DbGate are urged to review their deployment settings and implement necessary security measures. The vulnerability was disclosed on June 6, 2026, and is currently under active scrutiny. Key Points: • CVE-2026-47668 allows unauthenticated remote code execution in DbGate. • The vulnerability is due to unsafe string interpolation in JavaScript code generation. • Default deployment settings may expose systems to exploitation without authentication.

Detailed Analysis

**Impact** All users of DbGate running default or misconfigured deployments are affected, as the vulnerability allows unauthenticated remote code execution. This includes organizations across sectors relying on DbGate for database management, potentially exposing sensitive data and operational control. The vulnerability carries a maximum CVSS score of 10.0 in default anonymous authentication mode, indicating full system compromise with confidentiality, integrity, and availability impacts. **Technical Details** The vulnerability (CVE-2026-47668) exploits code injection via the functionName parameter in JSON script assign commands sent to the POST /runners/start endpoint. User-controlled values are directly concatenated into JavaScript source code executed in a forked Node.js child process, bypassing sandbox restrictions. The attack vector requires no authentication in default deployments due to disabled auth, enabling unauthenticated remote code execution. The vulnerability was discovered on 2026-03-31, patched in version 7.1.9 on 2026-04-22, and publicly disclosed on 2026-05-20. No specific IOCs were provided. **Recommended Response** Apply the DbGate patch version 7.1.9 or later immediately to remediate the vulnerability. Verify and enforce authentication configurations to disable anonymous access by setting appropriate environment variables. Monitor network and application logs for suspicious POST requests to /runners/start containing unusual functionName or variableName values. If patching is not immediately possible, restrict access to the API endpoints and implement network-level controls to block unauthorized requests.

Source articles (2)

  • CVE-2026-47668: DbGate: Unauthenticated Remote Code Execution via JSON Script Runner — Advisories.Gitlab · 2026-06-06
    DbGate’s JSON script runner ( POST /runners/start ) allows remote code execution via code injection in the functionName parameter of JSON script assign commands. The functionName value is interpolated…
  • CVE-2026-47668, DbGate: Unauthenticated Remote Code Execution via JSON Script Runner — Endorlabs · 2026-06-06
    DbGate's JSON script runner ( POST /runners/start ) allows remote code execution via code injection in the functionName parameter of JSON script assign commands. The functionName value is interpolated…

Timeline

  • 2026-06-06 — CVE-2026-47668 disclosed: DbGate's JSON script runner vulnerability allows unauthenticated RCE via functionName parameter, impacting default deployments.
  • 2026-06-06 — CVE-2026-47668 published by GitLab: GitLab confirmed the same vulnerability in DbGate, emphasizing the risk of unauthenticated remote code execution.

CVEs

  • CVE-2026-47668

Related entities

  • Remote Code Execution (Attack Type)
  • Zero-day Exploit (Attack Type)
  • CWE-94 - Code Injection (Cwe)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • Node.js (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed