CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49360

highcovered by 1 sourcefirst seen 2026-07-02
Impact Recce OSS server deployments that expose the server to an untrusted network without authentication are vulnerable to unauthenticated SQL execution through the query run API. When Recce is configured with a DuckDB-backed project, an attacker can use DuckDB filesystem primitives to read and write files accessible to the Recce server process. The impact depends on how Recce is deployed, but may include disclosure of local files, tampering with Recce/dbt artifacts, modification of browser-served static files leading to stored XSS, and modification of application files if those paths are writable. If Recce is run as root, file access occurs with root privileges inside that host or container. Patches This issue has been patched in Recce v1.50.0. Users should upgrade to Recce v1.50.0 or later. The patch restricts unsafe file read/write behavior for DuckDB-backed query execution and hardens the affected query path. Other warehouse adapters have also been reviewed for similar exposure. Credits Thanks to Sitampan (@hxcbtc) for responsibly reporting this issue. Workarounds Users who cannot upgrade immediately should avoid exposing recce server to the public internet or any untrusted network. Recommended mitigations include enabling authentication or placing Recce behind an authenticated reverse proxy/VPN, running Recce as a non-root user, using a read-only application filesystem where possible, and ensuring that sensitive files or credentials are not available to the Recce process.

⚡ Watch CVE-2026-49360

Get an email if CVE-2026-49360 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-49360

CVE.org record

Embed the live status

CVE-2026-49360 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49360 status](https://www.csirts.com/badge/CVE-2026-49360)](https://www.csirts.com/cve/CVE-2026-49360)