# [CRIT] [GHSA / CRITICAL] CVE-2026-47669: DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE **Source:** GitHub Security Advisories **Published:** 2026-06-05 **Article:** https://github.com/advisories/GHSA-h535-j5hr-mv56 ## Threat Profile DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE The `unzipDirectory()` function in `packages/api/src/shell/unzipDirectory.js` (line 27) does not validate that extracted file paths stay within the output directory. A malicious ZIP with `../` entries writes files anywhere on the filesystem. In the default Docker deployment, DbGate runs as root and the `none` auth provider issues JWT tokens without credentials via `POST /auth/login`, so this is exploitable by any netw… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-47669` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1053.003** — Scheduled Task/Job: Cron - **T1505.003** — Server Software Component: Web Shell - **T1078** — Valid Accounts ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### DbGate Zip Slip (CVE-2026-47669): node process writes outside archive dir to OS-sensitive paths `UC_119_2` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.process_name="node" AND (Filesystem.file_path="/etc/cron.d/*" OR Filesystem.file_path="/etc/cron.daily/*" OR Filesystem.file_path="/etc/cron.hourly/*" OR Filesystem.file_path="/etc/cron.weekly/*" OR Filesystem.file_path="/etc/cron.monthly/*" OR Filesystem.file_path="/var/spool/cron/*" OR Filesystem.file_path="/etc/sudoers.d/*" OR Filesystem.file_path="/root/.ssh/*" OR Filesystem.file_path="/etc/ld.so.preload" OR Filesystem.file_path="/etc/init.d/*" OR Filesystem.file_path="/etc/profile.d/*" OR Filesystem.file_path="/usr/local/bin/*" OR Filesystem.file_path="/usr/local/sbin/*" OR Filesystem.file_path="/etc/systemd/system/*") by Filesystem.dest Filesystem.process_name Filesystem.process_path Filesystem.file_path Filesystem.user | `drop_dm_object_name(Filesystem)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql // CVE-2026-47669 DbGate Zip Slip - node process writes outside archive dir DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName =~ "node" | where InitiatingProcessCommandLine has_any ("dbgate", "packages/api", "/app/packages") | where FolderPath startswith "/etc/cron." or FolderPath startswith "/var/spool/cron/" or FolderPath startswith "/etc/sudoers.d/" or FolderPath startswith "/root/.ssh/" or FolderPath startswith "/etc/init.d/" or FolderPath startswith "/etc/profile.d/" or FolderPath startswith "/etc/systemd/system/" or FolderPath startswith "/usr/local/bin/" or FolderPath startswith "/usr/local/sbin/" or FolderPath == "/etc/ld.so.preload" or FolderPath == "/etc/passwd" or FolderPath == "/etc/shadow" | project Timestamp, DeviceName, ActionType, FolderPath, FileName, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessAccountName, InitiatingProcessParentFileName | order by Timestamp desc ``` ### DbGate exploit chain: anonymous /auth/login + /api/archive/unzip POSTs from same source (CVE-2026-47669) `UC_119_3` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstSeen max(_time) as lastSeen values(Web.url) as urlsHit values(Web.http_user_agent) as user_agents dc(Web.url) as distinct_endpoints from datamodel=Web where Web.http_method=POST AND (Web.url="*/api/archive/unzip" OR Web.url="*/api/archive/save-uploaded-zip" OR Web.url="*/api/uploads/upload" OR Web.url="*/api/auth/login") by Web.src Web.dest | `drop_dm_object_name(Web)` | where distinct_endpoints >= 2 AND (mvfind(urlsHit,"/api/archive/unzip")>=0 OR mvfind(urlsHit,"/api/archive/save-uploaded-zip")>=0) | convert ctime(firstSeen) ctime(lastSeen) | sort - count ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47669: DbGate: Zip Slip in archive/unzip allows arbit `UC_119_1` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47669: DbGate: Zip Slip in archive/unzip allows arbit ``` | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/etc/cron.d/dbgate-pwn*" OR Filesystem.file_path="*/tmp/pwned*" OR Filesystem.file_path="*/etc/cron.d/*") by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47669: DbGate: Zip Slip in archive/unzip allows arbit // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/etc/cron.d/dbgate-pwn", "/tmp/pwned", "/etc/cron.d/")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-47669` ## Why this matters Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.