Home

Description

A vulnerability was determined in Dataease SQLbot up to 1.6.0. This issue affects the function get_es_data_by_http of the file backend/apps/db/es_engine.py of the component Elasticsearch Handler. This manipulation of the argument address causes server-side request forgery. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.7.0 is capable of addressing this issue. You should upgrade the affected component. The vendor was contacted early about this disclosure.

PUBLISHED Reserved 2026-04-02 | Published 2026-04-02 | Updated 2026-04-03 | Assigner VulDB




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 4.7CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
MEDIUM: 4.7CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
5.8AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

Server-Side Request Forgery

Product status

1.0
affected

1.1
affected

1.2
affected

1.3
affected

1.4
affected

1.5
affected

1.6.0
affected

1.7.0
unaffected

Timeline

2026-04-02:Advisory disclosed
2026-04-02:VulDB entry created
2026-04-02:VulDB entry last update

Credits

din4 (VulDB User) reporter

VulDB CNA Team coordinator

References

vuldb.com/vuln/354854 (VDB-354854 | Dataease SQLbot Elasticsearch es_engine.py get_es_data_by_http server-side request forgery) vdb-entry technical-description

vuldb.com/vuln/354854/cti (VDB-354854 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/submit/756043 (Submit #756043 | Dataease SQLbot <= v1.6.0 Server-Side Request Forgery) third-party-advisory

www.notion.so/...d-Requests-2afea92a3c4180bea524f1a253f8d9a0 exploit

github.com/dataease/SQLBot/releases/tag/v1.7.0 patch

cve.org (CVE-2026-5417)

nvd.nist.gov (CVE-2026-5417)

Download JSON