CVE-2017-12636

HIGH LAB

Apache CouchDB < 1.7.0 and 2.x < 2.1.1 - Authenticated OS Command Injection via Configuration Options

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2017-12636. PoCs published by Metasploit, Cody Zacharias, XTeam-Wing, including Metasploit module exploits/linux/http/apache_couchdb_cmd_exec.

AI-analyzed exploit summary This Metasploit module exploits CVE-2017-12636 in Apache CouchDB, allowing arbitrary command execution by leveraging misconfigured query servers. It includes an authentication bypass (CVE-2017-12635) to gain admin privileges.

Description

CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/45019

This Metasploit module exploits CVE-2017-12636 in Apache CouchDB, allowing arbitrary command execution by leveraging misconfigured query servers. It includes an authentication bypass (CVE-2017-12635) to gain admin privileges.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache CouchDB before 1.7.0 and 2.x before 2.1.1
No auth needed
Prerequisites: Network access to CouchDB (default port 5984) · CouchDB version vulnerable to CVE-2017-12636
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Cody Zacharias · pythonwebappslinux
https://www.exploit-db.com/exploits/44913

This exploit targets Apache CouchDB versions <= 1.7.0 and 2.x < 2.1.0, leveraging CVE-2017-12636 to achieve remote code execution by manipulating the query_servers configuration. It also includes privilege escalation via CVE-2017-12635 to create an admin user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache CouchDB <= 1.7.0 and 2.x < 2.1.0
No auth needed
Prerequisites: Network access to CouchDB port (default 5984) · CouchDB version <= 1.7.0 or 2.x < 2.1.0
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 6 stars
by XTeam-Wing · poc
https://github.com/XTeam-Wing/CVE-2017-12636

This exploit targets CVE-2017-12636, a remote code execution vulnerability in Apache CouchDB. It creates an admin user, then abuses the query_servers configuration to execute a reverse shell command via a crafted base64-encoded payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache CouchDB 1.6.x and 2.1.x
No auth needed
Prerequisites: Network access to target CouchDB instance · Target must be vulnerable (unpatched CouchDB 1.6.x or 2.1.x)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by moayadalmalat · poc
https://github.com/moayadalmalat/CVE-2017-12636

This PoC exploits CVE-2017-12636, a command injection vulnerability in Apache CouchDB, by creating an admin user and leveraging the query_servers configuration to execute arbitrary commands. The exploit demonstrates RCE by writing the output of the 'id' command to a file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache CouchDB versions prior to 1.7.0 and 2.x prior to 2.1.1
Auth required
Prerequisites: Network access to CouchDB instance · CouchDB instance with vulnerable configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Max Justicz, Joan Touzet · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_couchdb_cmd_exec.rb

This Metasploit module exploits CVE-2017-12636, a vulnerability in Apache CouchDB that allows arbitrary command execution by leveraging misconfigured query server paths. It includes an authentication bypass (CVE-2017-12635) to gain admin privileges and then executes commands via HTTP requests to vulnerable endpoints.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache CouchDB before 1.7.0 and 2.x before 2.1.1
Auth required
Prerequisites: Network access to CouchDB HTTP API · Valid credentials or ability to bypass authentication
devstral-2 · analyzed Apr 22, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/redteamwing/cve-2017-12636

This repository contains a functional exploit for CVE-2017-12636, targeting Apache CouchDB versions 1.6 and 2.1. The exploit leverages improper input validation to achieve remote code execution by creating an admin user and injecting a reverse shell command via the query_servers configuration.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache CouchDB 1.6, 2.1
No auth needed
Prerequisites: Network access to target CouchDB instance · Python 3 environment
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45019/
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44913/
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201711-16
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html

Scores

CVSS v3 7.2
EPSS 0.9375
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull vulhub/couchdb:1.6.0
+1 more repos

Details

CWE
CWE-78
Status published
Products (4)
apache/couchdb 2.0.0 (5 CPE variants)
apache/couchdb < 1.7.0
Apache Software Foundation/Apache CouchDB 1.2.0 to 1.6.1
Apache Software Foundation/Apache CouchDB 2.0.0 to 2.1.0
Published Nov 14, 2017
Tracked Since Feb 18, 2026