Description
A weakness has been identified in DbGate up to 7.1.4. The impacted element is the function apiServerUrl1 of the file packages/rest/src/openApiDriver.ts of the component REST/GraphQL. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server-side request forgery
Action: Apply Patch
AI Analysis

Impact

A flaw in the apiServerUrl1 function within DbGate's REST/GraphQL module exposes a server‑side request forgery vulnerability. This issue allows an attacker to craft requests that the server will forward to arbitrary internal or external URLs, potentially accessing restricted resources or probing the network. The vulnerability admits remote exploitation, and a public exploit is available, indicating that attackers can initiate the attack from any network that can reach the DBGate instance.

Affected Systems

All installations of DbGate up to and including version 7.1.4 are affected. The flaw resides in the packages/rest/src/openApiDriver.ts component of the REST/GraphQL interface. No other specific sub‑products or configuration details were provided, but any instance of DbGate exposing the REST/GraphQL API is at risk.

Risk and Exploitability

The CVSS score is 5.3, reflecting a moderate level of severity. The EPSS value is not available, and the vulnerability is not listed in the CISA KEV catalog. Because the exploit code is publicly available and the attack can be initiated remotely, the likelihood of exploitation is appreciable, especially in environments where the REST/GraphQL API is exposed without additional controls.

Generated by OpenCVE AI on April 13, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DbGate to a version later than 7.1.4 once a patch is released by the vendor.
  • If an update is not yet available, restrict or disable access to the REST/GraphQL API endpoints, ensuring only trusted users can reach them.
  • Implement network segmentation or firewall rules to block outbound requests to untrusted destinations from the DbGate service.
  • Regularly monitor logs for unexpected outbound HTTP requests originating from the DbGate process and investigate anomalies.

Generated by OpenCVE AI on April 13, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Dbgate
Dbgate dbgate
Vendors & Products Dbgate
Dbgate dbgate

Mon, 13 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in DbGate up to 7.1.4. The impacted element is the function apiServerUrl1 of the file packages/rest/src/openApiDriver.ts of the component REST/GraphQL. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title DbGate REST/GraphQL openApiDriver.ts apiServerUrl1 server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dbgate Dbgate
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-14T16:28:52.818Z

Reserved: 2026-04-13T13:18:15.353Z

Link: CVE-2026-6215

cve-icon Vulnrichment

Updated: 2026-04-14T15:28:30.715Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T20:16:47.723

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:27Z

Weaknesses