# [CRIT] [GHSA / CRITICAL] CVE-2026-47668: DbGate: Unauthenticated Remote Code Execution via JSON Script Runner **Source:** GitHub Security Advisories **Published:** 2026-06-05 **Article:** https://github.com/advisories/GHSA-8v3q-9vmx-36vc ## Threat Profile DbGate: Unauthenticated Remote Code Execution via JSON Script Runner ### Summary DbGate's JSON script runner (`POST /runners/start`) allows remote code execution via code injection in the `functionName` parameter of JSON script `assign` commands. The `functionName` value is interpolated directly into dynamically generated JavaScript source code via string concatenation. The generated code is then executed in a forked Node.js child process. ### Details #### Step 1: User Input Entry Point **Fil… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-47668` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1059.007** — Command and Scripting Interpreter: JavaScript - **T1078.001** — Valid Accounts: Default Accounts ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### DbGate CVE-2026-47668 — Node.js runner spawning shell/LOLBin children for egress `UC_120_2` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdline values(Processes.process_path) as child_path values(Processes.user) as user from datamodel=Endpoint.Processes where (Processes.parent_process_name IN ("node","node.exe") OR Processes.parent_process_path="*dbgate*" OR Processes.parent_process="*bundle.js*" OR Processes.parent_process="*/.dbgate/run/*") AND Processes.process_name IN ("wget","curl","sh","bash","dash","zsh","ksh","powershell.exe","pwsh","cmd.exe","nc","ncat","python","python3","perl","ruby") by Processes.dest Processes.parent_process_name Processes.process_name Processes.parent_process Processes.process | `drop_dm_object_name(Processes)` | where firstTime>relative_time(now(),"-7d@d") ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("node","node.exe") | where InitiatingProcessCommandLine has_any ("bundle.js",".dbgate/run/","dbgate-docker","DBGATE_API") or InitiatingProcessFolderPath has_any ("/home/dbgate-docker","\\dbgate\\","/.dbgate/run/") | where FileName in~ ("wget","curl","sh","bash","dash","zsh","powershell.exe","pwsh","cmd.exe","nc","ncat","python","python3","perl","ruby","certutil.exe","bitsadmin.exe") | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### DbGate exploit web request — POST /runners/start or /runners/load-reader with child_process injection `UC_120_3` · phase: **delivery** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Web.http_user_agent) as ua values(Web.src) as src values(Web.dest) as dest from datamodel=Web.Web where Web.http_method="POST" AND (Web.url="*/runners/start*" OR Web.url="*/runners/load-reader*") by Web.src Web.dest Web.url Web.status | `drop_dm_object_name(Web)` | where firstTime>relative_time(now(),"-7d@d") ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("node","node.exe") | where InitiatingProcessCommandLine has_any ("bundle.js","dbgate") | where RemoteIPType == "Public" | join kind=inner ( DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("node","node.exe") | where InitiatingProcessCommandLine has_any ("bundle.js",".dbgate/run/","DBGATE_API") | project Timestamp, DeviceId, ChildCmd = ProcessCommandLine, ChildName = FileName ) on DeviceId | where Timestamp between (Timestamp1 - 5m .. Timestamp1 + 5m) | project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessCommandLine, ChildName, ChildCmd | order by Timestamp desc ``` ### DbGate anonymous auth-bypass token mint — POST /auth/login with amoid:none `UC_120_4` · phase: **recon** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Web.http_user_agent) as ua values(Web.status) as status values(Web.src) as src from datamodel=Web.Web where Web.http_method="POST" AND Web.url="*/auth/login*" by Web.src Web.dest Web.url | `drop_dm_object_name(Web)` | where firstTime>relative_time(now(),"-7d@d") | join type=inner src [| tstats summariesonly=true count from datamodel=Web.Web where Web.http_method="POST" AND (Web.url="*/runners/start*" OR Web.url="*/runners/load-reader*") by Web.src | `drop_dm_object_name(Web)`] ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47668: DbGate: Unauthenticated Remote Code Execution `UC_120_1` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47668: DbGate: Unauthenticated Remote Code Execution ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("node.js")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/usr/local/sbin*" OR Filesystem.file_path="*/usr/local/bin*" OR Filesystem.file_path="*/usr/sbin*" OR Filesystem.file_path="*/usr/bin*" OR Filesystem.file_path="*/home/dbgate-docker/bundle.js*" OR Filesystem.file_path="*/root/.dbgate/run/16c2e85a-8512-4a7e-8678-391637bbdc2c*" OR Filesystem.file_name IN ("node.js")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47668: DbGate: Unauthenticated Remote Code Execution // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("node.js")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/usr/local/sbin", "/usr/local/bin", "/usr/sbin", "/usr/bin", "/home/dbgate-docker/bundle.js", "/root/.dbgate/run/16c2e85a-8512-4a7e-8678-391637bbdc2c") or FileName in~ ("node.js")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-47668` ## Why this matters Severity classified as **CRIT** based on: CVE present, 5 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.