CVE-2026-5417

MEDIUM NVD

CVSS Score 4.7

Severity MEDIUM

Published Apr 02, 2026

Vendor unknown

Description

A vulnerability was determined in Dataease SQLbot up to 1.6.0. This issue affects the function get_es_data_by_http of the file backend/apps/db/es_engine.py of the component Elasticsearch Handler. This manipulation of the argument address causes server-side request forgery. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.7.0 is capable of addressing this issue. You should upgrade the affected component. The vendor was contacted early about this disclosure.

References

https://github.com/dataease/SQLBot/releases/tag/v1.7.0
https://vuldb.com/submit/756043
https://vuldb.com/vuln/354854
https://vuldb.com/vuln/354854/cti
https://www.notion.so/SQLbot-SSRF-in-Elasticsearch-Unvalidated-Requests-2afea92a3c4180bea524f1a253f8d9a0