CVE-2026-5417

MEDIUM 4.7

Dataease SQLbot Elasticsearch es_engine.py get_es_data_by_http server-side request forgery

CVSS Score

4.7

EPSS Score

0.0%

EPSS Percentile

10th

A vulnerability was determined in Dataease SQLbot up to 1.6.0. This issue affects the function get_es_data_by_http of the file backend/apps/db/es_engine.py of the component Elasticsearch Handler. This manipulation of the argument address causes server-side request forgery. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.7.0 is capable of addressing this issue. You should upgrade the affected component. The vendor was contacted early about this disclosure.

CWE	CWE-918
Vendor	dataease
Product	sqlbot
Published	Apr 2, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for dataease sqlbot

Be the first to know when new medium vulnerabilities affecting dataease sqlbot are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Dataease / SQLbot

1.0 1.1 1.2 1.3 1.4 1.5 1.6.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/354854 vuldb.com: https://vuldb.com/vuln/354854/cti vuldb.com: https://vuldb.com/submit/756043 notion.so: https://www.notion.so/SQLbot-SSRF-in-Elasticsearch-Unvalidated-Requests-2afea92a3c4180bea524f1a253f8d9a0 github.com: https://github.com/dataease/SQLBot/releases/tag/v1.7.0

Credits

🔍 din4 (VulDB User) VulDB CNA Team