CVE-2017-12635

CRITICAL EXPLOITED IN THE WILD NUCLEI LAB

Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Title source: nuclei
STIX 2.1

Exploitation Summary

CVE-2017-12635 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 7 public exploits from researchers including Metasploit, r4wd3r, assalielmehdi, including a Metasploit module auxiliary/scanner/couchdb/couchdb_enum. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2017-12636 in Apache CouchDB, allowing arbitrary command execution by leveraging misconfigured query servers. It includes an authentication bypass (CVE-2017-12635) to gain admin privileges.

Description

Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.

Exploits (7)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/45019

This Metasploit module exploits CVE-2017-12636 in Apache CouchDB, allowing arbitrary command execution by leveraging misconfigured query servers. It includes an authentication bypass (CVE-2017-12635) to gain admin privileges.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache CouchDB before 1.7.0 and 2.x before 2.1.1
No auth needed
Prerequisites: Network access to CouchDB (default port 5984) · CouchDB version vulnerable to CVE-2017-12636
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by r4wd3r · pythonwebappslinux
https://www.exploit-db.com/exploits/44498

This exploit leverages CVE-2017-12635 to create an admin user in Apache CouchDB by sending a crafted PUT request to the _users endpoint. It bypasses authentication by exploiting improper validation of user roles.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Apache CouchDB versions prior to 1.7.0 and 2.x prior to 2.1.1
No auth needed
Prerequisites: Network access to the CouchDB service · CouchDB service exposed on the target host
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 10 stars
by assalielmehdi · poc
https://github.com/assalielmehdi/CVE-2017-12635

This PoC demonstrates a privilege escalation vulnerability in Apache CouchDB (CVE-2017-12635) by exploiting a discrepancy between Erlang and JavaScript JSON parsers. The attack involves submitting a user document with duplicate 'roles' keys to bypass validation and escalate to admin privileges.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Apache CouchDB 1.7.0 / 2.x < 2.1.1
No auth needed
Prerequisites: Access to a vulnerable CouchDB instance · Ability to send HTTP requests to the CouchDB API
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by cyberharsh · poc
https://github.com/cyberharsh/Apache-couchdb-CVE-2017-12635

This PoC demonstrates a vertical privilege escalation vulnerability in Apache CouchDB (CVE-2017-12635) by exploiting a discrepancy in JSON parsing between Erlang and JavaScript. It allows an unauthenticated attacker to create an admin user by sending a crafted HTTP request with duplicate 'roles' fields.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Apache CouchDB < 1.7.0 and < 2.1.1
No auth needed
Prerequisites: Network access to the CouchDB HTTP API
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by Dungsocool · poc
https://github.com/Dungsocool/CVE-2017-12635_36

This repository provides a detailed technical analysis of CVE-2017-12635 and CVE-2017-12636, including step-by-step exploitation of privilege escalation and remote code execution in Apache CouchDB 1.6.0. It includes proof-of-concept commands and verification steps.

Classification
Writeup 100%
Attack Type
Auth Bypass | Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache CouchDB 1.6.0
No auth needed
Prerequisites: network access to port 5984 · CouchDB 1.6.0 running
devstral-2 · analyzed May 30, 2026 Full analysis →
metasploit SCANNER
by Max Justicz · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/couchdb/couchdb_enum.rb

This Metasploit module enumerates CouchDB databases and server information via the REST API, with optional user creation for vulnerable versions. It does not contain offensive payloads but checks for CVE-2017-12635.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Apache CouchDB (versions < 1.7.0 or 2.0.0-2.1.0)
No auth needed
Prerequisites: Network access to CouchDB port (default 5984) · Unauthenticated access or valid credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Max Justicz, Joan Touzet · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_couchdb_cmd_exec.rb

This Metasploit module exploits CVE-2017-12635 and CVE-2017-12636 in Apache CouchDB to achieve remote command execution by leveraging authentication bypass and misconfigured query server paths. It supports both CouchDB 1.x and 2.x versions.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache CouchDB before 1.7.0 and 2.x before 2.1.1
Auth required
Prerequisites: Network access to CouchDB HTTP API · Valid or bypassable authentication credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation
CRITICALby pikpikcu
Shodan: product:"couchdb" || cpe:"cpe:2.3:a:apache:couchdb"

References (7)

Core 7
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44498/
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45019/
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201711-16
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/101868

Scores

CVSS v3 9.8
EPSS 0.9410
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull vulhub/couchdb:2.1.0
+2 more repos

Details

VulnCheck KEV 2023-11-17
InTheWild.io 2017-01-12
CWE
CWE-269
Status published
Products (4)
apache/couchdb 2.0.0 (5 CPE variants)
apache/couchdb < 1.7.0
Apache Software Foundation/Apache CouchDB 1.2.0 to 1.6.1
Apache Software Foundation/Apache CouchDB 2.0.0 to 2.1.0
Published Nov 14, 2017
Tracked Since Feb 18, 2026