CVE-2026-49360

HIGHPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Recce server has unauthenticated SQL execution that allows local file read/write through DuckDB

Impact

Recce OSS server deployments that expose the server to an untrusted network without authentication are vulnerable to unauthenticated SQL execution through the query run API.

When Recce is configured with a DuckDB-backed project, an attacker can use DuckDB filesystem primitives to read and write files accessible to the Recce server process. The impact depends on how Recce is deployed, but may include disclosure of local files, tampering with Recce/dbt artifacts, modification of browser-served static files leading to stored XSS, and modification of application files if those paths are writable. If Recce is run as root, file access occurs with root privileges inside that host or container.

Patches

This issue has been patched in Recce v1.50.0. Users should upgrade to Recce v1.50.0 or later.

The patch restricts unsafe file read/write behavior for DuckDB-backed query execution and hardens the affected query path. Other warehouse adapters have also been reviewed for similar exposure.

Credits

Thanks to Sitampan (@hxcbtc) for responsibly reporting this issue.

Workarounds

Users who cannot upgrade immediately should avoid exposing recce server to the public internet or any untrusted network.

Recommended mitigations include enabling authentication or placing Recce behind an authenticated reverse proxy/VPN, running Recce as a non-root user, using a read-only application filesystem where possible, and ensuring that sensitive files or credentials are not available to the Recce process.

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

July 2, 2026

Last Modified

July 2, 2026

Vendor Advisories for CVE-2026-49360(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-02 22:07 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-49360?
CVE-2026-49360 is a high vulnerability published on July 2, 2026. Recce server has unauthenticated SQL execution that allows local file read/write through DuckDB Impact Recce OSS server deployments that expose the server to an untrusted network without authentication are vulnerable to unauthenticated SQL execution through the query run API. When Recce is…
When was CVE-2026-49360 disclosed?
CVE-2026-49360 was first published in the National Vulnerability Database on July 2, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-49360?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-49360, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-49360

Explore →

Is Your Infrastructure Affected by CVE-2026-49360?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.