Submeter #756043: Dataease SQLbot <= v1.6.0 Server-Side Request Forgeryinformação

TítuloDataease SQLbot <= v1.6.0 Server-Side Request Forgery
Descrição### Vulnerability Description [SQLBot](https://github.com/dataease/SQLBot) is an intelligent data query system based on large language models and RAG, meticulously crafted by the DataEase open-source project team. With SQLBot, users can perform conversational data analysis (ChatBI), quickly extracting the necessary data information and visualizations, and supporting further intelligent analysis. In `backend/apps/db/es_engine.py`, the Elasticsearch query function directly uses user-provided `host` parameter to make HTTP requests without validating the target address, leading to Server-Side Request Forgery (SSRF). Attackers can use this to scan internal networks, access cloud metadata services, and exploit internal services. ### Affected Versions SQLBot ≤ 1.6.0
Fonte⚠️ https://www.notion.so/SQLbot-SSRF-in-Elasticsearch-Unvalidated-Requests-2afea92a3c4180bea524f1a253f8d9a0
Utilizador
 din4 (UID 50867)
Submissão11/02/2026 04h44 (há 2 meses)
Moderação02/04/2026 13h02 (2 months later)
EstadoAceite
Entrada VulDB354854 [Dataease SQLbot até 1.6.0 Elasticsearch es_engine.py get_es_data_by_http address Elevação de Privilégios]
Pontos17

VoltarVisão GeralPróximo

Do you want to use VulDB in your project?

Use the official API to access entries easily!