CVE-2026-47668

CVE-2026-47668: DbGate Unauthenticated RCE via JSON Script Runner

Initial Access Execution Persistence Impact Last updated:

Detects exploitation of CVE-2026-47668, a critical unauthenticated remote code execution vulnerability in dbgate-serve <= 7.1.8. The JSON Script Runner endpoint accepts and executes arbitrary JavaScript/JSON payloads without authentication, allowing attackers to achieve full server compromise. A public PoC is available.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
npm
Product
dbgate-serve
Versions
<= 7.1.8

Weakness (CWE)

CWE-20CWE-94CWE-1188

Timeline

Disclosed
June 5, 2026

CVSS

10.0
Critical (9.0–10)
Read the write-up →

What is CVE-2026-47668 CVE-2026-47668: DbGate Unauthenticated RCE via JSON Script Runner?

CVE-2026-47668: DbGate Unauthenticated RCE via JSON Script Runner (CVE-2026-47668) maps to the Initial Access and Execution and Persistence and Impact tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2026-47668: DbGate Unauthenticated RCE via JSON Script Runner, covering the data sources and telemetry it touches: W3CIISLog, AzureDiagnostics, DeviceNetworkEvents, CommonSecurityLog. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Impact
Microsoft Sentinel / Defender
kusto 
let dbgate_ports = dynamic([3000, 3001, 8080, 8443]);
let suspicious_paths = dynamic(["/script/run", "/script/execute", "/run-script", "/api/script"]);
union DeviceNetworkEvents, W3CIISLog, AzureDiagnostics
| where TimeGenerated > ago(24h)
| where (
    (csUriStem has_any (suspicious_paths) and csMethod == "POST")
    or (RequestUri has_any (suspicious_paths) and HttpMethod == "POST")
    or (Url has_any (suspicious_paths) and RequestMethod == "POST")
  )
| where (
    csUserName == "-" or csUserName == "" or isempty(csUserName)
    or AuthenticatedUser == "" or isempty(AuthenticatedUser)
  )
| extend UserAgent = coalesce(csUserAgent, UserAgent, RequestUserAgent)
| extend SourceIP = coalesce(cIp, CallerIpAddress, ClientIP)
| project TimeGenerated, SourceIP, UserAgent, RequestPath = coalesce(csUriStem, RequestUri, Url), Method = coalesce(csMethod, HttpMethod, RequestMethod), StatusCode = coalesce(scStatus, ResultCode, HttpStatusCode)
| summarize RequestCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by SourceIP, UserAgent, RequestPath
| where RequestCount >= 1
| extend RiskScore = iif(RequestCount > 5, "High", "Medium")
| project-reorder FirstSeen, LastSeen, SourceIP, RequestPath, RequestCount, RiskScore, UserAgent

Detects unauthenticated POST requests to dbgate-serve script execution endpoints. Looks for requests lacking authentication headers to known script runner paths across IIS logs, Azure Diagnostics, and Defender network events.

critical severity high confidence

Data Sources

W3CIISLog AzureDiagnostics DeviceNetworkEvents CommonSecurityLog

Required Tables

W3CIISLog AzureDiagnostics DeviceNetworkEvents

False Positives

  • Legitimate internal tooling using the dbgate script runner API without authentication in development environments
  • Automated health-check or monitoring scripts hitting the dbgate API
  • Security scanners and vulnerability assessment tools performing authorized scans

Sigma rule & cross-platform mapping

The detection logic for CVE-2026-47668: DbGate Unauthenticated RCE via JSON Script Runner (CVE-2026-47668) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-47668 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-47668

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-21 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-47668 PoC — Unauthenticated Script Execution via curl

    Expected signal: HTTP POST to /script/run with JSON body containing require('child_process'); Node.js spawns a child process (execve syscall with ppid=node); file /tmp/pwned.txt created by node process user

  2. Test 2CVE-2026-47668 — Reverse Shell Payload via Script Runner

    Expected signal: Node.js spawns /bin/sh child process; outbound TCP connection from node process to ATTACKER_IP:4444 visible in netflow and EDR network telemetry

  3. Test 3CVE-2026-47668 — Version Fingerprinting and Endpoint Discovery

    Expected signal: Multiple GET and POST requests to dbgate host from single source IP in short succession; POST to /script/run with simple JS payload; file write event from node process

Unlock Pro Content

Get the full detection package for CVE-2026-47668 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0040Impact

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.007JavaScriptT1203Exploitation for Client Execution

Same Tactic: Initial Access

Popular Detections