PT-2026-60102 · Anyquery · Anyquery

Published

2026-07-14

·

Updated

2026-07-15

·

CVE-2026-54628

CVSS v3.1

8.6

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Anyquery (affected versions not specified)
Description When operating in server mode, the software does not restrict outbound HTTP requests initiated by built-in SQLite virtual table modules, such as json reader and log reader. Unauthenticated attackers connecting via the MySQL-compatible server port can create virtual tables that point to internal network endpoints or Cloud Metadata IPs, such as http://169.254.169.254/latest/meta-data/. This enables Server-Side Request Forgery (SSRF), a technique where an attacker induces the server to make requests to an unintended location, allowing them to bypass external firewalls, scan internal ports, interact with internal APIs, or exfiltrate cloud credentials and IAM tokens.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Block remote HTTP fetches to local and private IP ranges, as well as known Cloud Metadata IP addresses, unless explicitly enabled via configuration.

SSRF

Missing Authorization

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54628
GHSA-HWRQ-8WXH-Q4XV

Affected Products

Anyquery