EXECUTIVE SUMMARY:
CVE-2026-47670 with a CVSS score of 9.4 is a critical authenticated remote code execution flaw in the DbGate API (npm/dbgate-api) affecting all releases up to and including version 7.1.8. The vulnerability stems from the `/runners/load-reader` endpoint which interpolates a user‑supplied `functionName` parameter directly into a dynamically generated JavaScript template without any sanitisation; by injecting a newline and leveraging a dynamic `import('child_process')` call, an attacker can break out of the template and execute arbitrary JavaScript that invokes `execSync` to run OS commands as the process user, which runs as root in typical Docker deployments. Exploitation requires only a valid DbGate username and password, after which the attacker can send a crafted HTTP request to the vulnerable endpoint and achieve root‑level command execution on the host. The resulting capability allows attackers to steal data, install ransomware, or pivot to other systems, leading to severe business disruption, data loss, and potential regulatory penalties. Exploitation is possible whenever the service is exposed to authenticated users and the default Docker container configuration (root user) is unchanged, making the risk especially high in multi‑tenant or cloud environments.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-47670 with a CVSS score of 9.4 is a critical authenticated remote code execution flaw in the DbGate API (npm/dbgate-api) affecting all releases up to and including version 7.1.8. The vulnerability stems from the `/runners/load-reader` endpoint which interpolates a user‑supplied `functionName` parameter directly into a dynamically generated JavaScript template without any sanitisation; by injecting a newline and leveraging a dynamic `import('child_process')` call, an attacker can break out of the template and execute arbitrary JavaScript that invokes `execSync` to run OS commands as the process user, which runs as root in typical Docker deployments. Exploitation requires only a valid DbGate username and password, after which the attacker can send a crafted HTTP request to the vulnerable endpoint and achieve root‑level command execution on the host. The resulting capability allows attackers to steal data, install ransomware, or pivot to other systems, leading to severe business disruption, data loss, and potential regulatory penalties. Exploitation is possible whenever the service is exposed to authenticated users and the default Docker container configuration (root user) is unchanged, making the risk especially high in multi‑tenant or cloud environments.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-wm5r-5qp3-5vxf