# [CRIT] [GHSA / CRITICAL] CVE-2026-47670: Authenticated Remote Code Execution via loadReader functionName code injection in DbGate **Source:** GitHub Security Advisories **Published:** 2026-06-05 **Article:** https://github.com/advisories/GHSA-wm5r-5qp3-5vxf ## Threat Profile Authenticated Remote Code Execution via loadReader functionName code injection in DbGate ### Summary DbGate is vulnerable to authenticated Remote Code Execution (RCE). Any user with valid DbGate credentials can execute arbitrary OS commands as root by exploiting an unsanitized `functionName` parameter in the `/runners/load-reader` endpoint. The `require = null` mitigation is trivially bypassed via dynamic `import()`.
### Details **Code injection via `functionName` in loadReader** Th… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-47670` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1059.007** — Command and Scripting Interpreter: JavaScript - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1059.003** — Command and Scripting Interpreter: Windows Command Shell ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### DbGate loadReader functionName code injection (CVE-2026-47670) `UC_118_2` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Web.url) as url values(Web.src) as src values(Web.user) as user from datamodel=Web.Web where Web.http_method=POST Web.uri_path="*/runners/load-reader" (Web.http_user_agent=* OR Web.url=*) by Web.dest Web.uri_path Web.src Web.user | `drop_dm_object_name(Web)` | search url="*child_process*" OR url="*import(*" OR url="*execSync*" OR url="*\nvar*" OR url="*%0Avar*" OR url="*%0Aawait*" | rename firstTime as earliest lastTime as latest | convert ctime(earliest) ctime(latest) ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has "/runners/load-reader" or InitiatingProcessCommandLine has "/runners/load-reader" | project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### DbGate node process spawning shell child (post-exploit RCE) `UC_118_3` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdline values(Processes.user) as user from datamodel=Endpoint.Processes where (Processes.parent_process_name=node OR Processes.parent_process_name=node.exe OR Processes.parent_process_name=dbgate OR Processes.parent_process_path="*dbgate*") (Processes.process_name=sh OR Processes.process_name=bash OR Processes.process_name=dash OR Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh OR Processes.process_name=busybox) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | rename firstTime as earliest lastTime as latest | convert ctime(earliest) ctime(latest) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("node","node.exe","dbgate","dbgate.exe") or InitiatingProcessFolderPath has_any ("/app/packages/api", "/dbgate", "dbgate") | where FileName in~ ("sh","bash","dash","zsh","ash","busybox","cmd.exe","powershell.exe","pwsh","pwsh.exe") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, FileName, ProcessCommandLine, ProcessIntegrityLevel | order by Timestamp desc ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47670: Authenticated Remote Code Execution via loadRe `UC_118_1` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47670: Authenticated Remote Code Execution via loadRe ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("poc.py","bundle.js")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/usr/bin/env*" OR Filesystem.file_path="*/tmp/_rce_*" OR Filesystem.file_path="*/etc/shadow*" OR Filesystem.file_path="*/root/.dbgate*" OR Filesystem.file_name IN ("poc.py","bundle.js")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47670: Authenticated Remote Code Execution via loadRe // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("poc.py", "bundle.js")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/usr/bin/env", "/tmp/_rce_", "/etc/shadow", "/root/.dbgate") or FileName in~ ("poc.py", "bundle.js")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-47670` ## Why this matters Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.