CVE-2026-47670: Authenticated Remote Code Execution via loadReader functionName code injection in DbGate

June 5, 2026

DbGate is vulnerable to authenticated Remote Code Execution (RCE). Any user with valid DbGate credentials can execute arbitrary OS commands as root by exploiting an unsanitized functionName parameter in the /runners/load-reader endpoint. The require = null mitigation is trivially bypassed via dynamic import().

References

github.com/advisories/GHSA-wm5r-5qp3-5vxf
github.com/dbgate/dbgate/releases/tag/v7.1.9
github.com/dbgate/dbgate/security/advisories/GHSA-wm5r-5qp3-5vxf
nvd.nist.gov/vuln/detail/CVE-2026-47670

Code Behaviors & Features

Detect and mitigate CVE-2026-47670 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →