CVE-2026-47668: DbGate: Unauthenticated Remote Code Execution via JSON Script Runner

June 5, 2026

DbGate’s JSON script runner (POST /runners/start) allows remote code execution via code injection in the functionName parameter of JSON script assign commands. The functionName value is interpolated directly into dynamically generated JavaScript source code via string concatenation. The generated code is then executed in a forked Node.js child process.

References

github.com/advisories/GHSA-8v3q-9vmx-36vc
github.com/dbgate/dbgate/releases/tag/v7.1.9
github.com/dbgate/dbgate/security/advisories/GHSA-8v3q-9vmx-36vc
github.com/runZeroInc/nuclei-templates/blob/main/http/vulnerabilities/dbgate-unauth-rce.yaml
nvd.nist.gov/vuln/detail/CVE-2026-47668

Code Behaviors & Features

Detect and mitigate CVE-2026-47668 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →