Description
A vulnerability was determined in Dataease SQLbot up to 1.6.0. This issue affects the function get_es_data_by_http of the file backend/apps/db/es_engine.py of the component Elasticsearch Handler. This manipulation of the argument address causes server-side request forgery. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.7.0 is capable of addressing this issue. You should upgrade the affected component. The vendor was contacted early about this disclosure.
Published: 2026-04-02
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in Dataease SQLbot versions up to 1.6.0, specifically in the get_es_data_by_http function within the Elasticsearch handler. By manipulating the address argument, an attacker can cause the application to perform unauthorized HTTP requests to internal or external resources, leading to potential data exposure or manipulation of internal services. The flaw is publicly disclosed and can be exploited from a remote location.

Affected Systems

Dataease SQLbot is the affected product. All releases from the first public version through 1.6.0 contain the vulnerability. The vendor recommends upgrading to version 1.7.0 to eliminate the issue.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity risk. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The description states that the attack may be initiated remotely; no requirement for user authentication is explicitly required to trigger the SSRF. Because the exploit is publicly disclosed, vulnerable installations could become targets of opportunistic attackers.

Generated by OpenCVE AI on April 2, 2026 at 23:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Dataease SQLbot version 1.7.0 or later.

Generated by OpenCVE AI on April 2, 2026 at 23:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Dataease
Dataease sqlbot
Vendors & Products Dataease
Dataease sqlbot

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Dataease SQLbot up to 1.6.0. This issue affects the function get_es_data_by_http of the file backend/apps/db/es_engine.py of the component Elasticsearch Handler. This manipulation of the argument address causes server-side request forgery. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.7.0 is capable of addressing this issue. You should upgrade the affected component. The vendor was contacted early about this disclosure.
Title Dataease SQLbot Elasticsearch es_engine.py get_es_data_by_http server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dataease Sqlbot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-02T18:15:11.883Z

Reserved: 2026-04-02T11:02:32.972Z

Link: CVE-2026-5417

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T19:21:36.497

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-5417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:16:54Z

Weaknesses