PT-2026-29872 · Elastic+1 · Elasticsearch+1
Din4
·
Published
2026-04-02
·
Updated
2026-04-03
·
CVE-2026-5417
CVSS v2.0
5.8
Medium
| Vector | AV:N/AC:L/Au:M/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Dataease SQLbot versions up to 1.6.0
Description
A server-side request forgery exists in the Elasticsearch Handler component, specifically within the
get es data by http function of the backend/apps/db/es engine.py file. Manipulation of the address argument can trigger this issue, allowing for remote exploitation. The exploit has been publicly disclosed.Recommendations
Upgrade to version 1.7.0 to address this issue.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dataease Sqlbot
Elasticsearch