Primary

Context

Dataease SQLbot Server-Side Request Forgery Vulnerability in Elasticsearch Handler

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Dataease SQLbot versions through 1.6.0. The issue arises in the Elasticsearch Handler component, specifically within the 'get_es_data_by_http' function of 'backend/apps/db/es_engine.py'. This vulnerability allows remote attackers to manipulate the 'host' parameter, enabling them to send unauthorized requests to internal services or cloud metadata endpoints.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can send requests from the server to internal resources, potentially accessing sensitive data or services.

Remediation

Users are advised to upgrade to Dataease SQLbot version 1.7.0, which addresses this vulnerability.

Added: Apr 2, 2026, 9:36 PM

Updated: Apr 2, 2026, 9:36 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.0

remediation

0.0

relevance

5.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.0

remediation

0.0

relevance

5.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Dataease SQLbot Server-Side Request Forgery Vulnerability in Elasticsearch Handler

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating