A web database client on your public domain is the database itself

You needed to poke at production data without SSHing into a box every time, so you ran a web database client. pgweb in a container next to the app. CloudBeaver because the team already knew DBeaver. Maybe Hasura, because it gave you an instant GraphQL layer and a console for free. It saved you real time, it worked, and the URL stayed in a browser tab on your laptop.

The tab is still open. So is the URL, for everyone else.

A web database client is not an admin panel in front of a database. It is the database, wearing a browser. There is no content layer, no API contract, no row-level rules sitting between the visitor and the rows. Whoever loads the page gets the schema, the tables, and a query box. Several of these tools ship with no authentication at all by default, which means the login form you are picturing does not exist.

What "open DB client" actually means

When a stranger reaches one of these, here is the sequence. They see a connection or a table list. They open whatever table looks interesting: users, accounts, payments, sessions. They read every row. Then they notice the tool has a SQL box, because nearly all of them do, and they stop browsing and start typing.

That is the part that matters. Read access alone gives them every email, every password hash, every API token you ever stored in a column. A SQL runner gives them the rest:

  • SELECT out the entire table set and walk away with a full copy of your data.
  • UPDATE and DELETE against anything, including dropping tables and leaving a ransom note in a new one.
  • On Postgres and MySQL, the SQL surface is often a path off the database and onto the host. COPY ... TO PROGRAM, INTO OUTFILE writing to a web root, loadable extensions. Arbitrary SQL on a misconfigured server becomes arbitrary commands.

Redash makes the last point worse, not better. It runs queries against data sources you connected to it, and it stores those data sources' credentials so it can. An open Redash isn't one database, it's the saved connection strings to all of them, plus a query editor pointed at each.

request
GET /console HTTP/1.1 Host: db.yoursite.com
response
HTTP/1.1 200 OK
Content-Type: text/html
<div id="content"></div> <!-- Hasura console -->
<script>window.__env={ adminSecret:null }</script>
<!-- GraphiQL + raw SQL runner mounted, no auth -->
Hasura with no admin secret set. The console mounts, the SQL runner mounts, and the GraphQL API answers introspection and mutations for anyone.

Six tools, one finding

These are different products. The finding is the same one every time: a database control surface answering the public internet, often with nothing in front of it.

  • DBGate (/) is a multi-engine client. One UI over MSSQL, MySQL, Postgres, Mongo, SQLite, and Redis, whichever you wired up.
  • pgweb (/) is a Postgres web client with no auth by default. Full read, write, and DDL the moment the page loads.
  • CloudBeaver (/) is the web edition of DBeaver, multi-engine, the same browse-and-query surface you'd use as the operator.
  • phpRedisAdmin (/login.php) browses, edits, and flushes Redis. A Redis full of sessions and cache keys is a session-hijack kit.
  • Redash (/login) runs arbitrary SQL against connected sources and keeps their credentials.
  • Hasura GraphQL console (/console) is full schema, table, and data admin plus a SQL runner over the connected database. When the admin secret is unset, it's all of that unauthenticated.
$ scan yoursite.com
probing yoursite.com from outside, no credentials...
/consoleHasura console, SQL runner reachable, admin secret unset
/pgweb, no auth, full Postgres read/write/DDL
/login.phpphpRedisAdmin reachable, browse/edit/flush
3 exposures visible to anyone. None required a login.
Every row here is the data layer itself, not a panel in front of it. Found from outside, no credentials.

Each probe is gated on the tool's own markup, the Hasura console bundle markers, the pgweb app shell, DBGate's and CloudBeaver's distinctive HTML, so a hit means that exact client is genuinely served, not that a blog post on your site mentioned pgweb. A mention doesn't trip it. A live console does.

Why the login (when there is one) isn't the comfort it sounds like

phpRedisAdmin and Redash have a login. pgweb, by default, does not. Hasura's depends on whether you set HASURA_GRAPHQL_ADMIN_SECRET, and the number of deploys that skip it because "we'll add it before launch" is large.

Where a login does exist, it's a wall you've invited the world to lean on. The same pressures hit it as any panel: credential stuffing with passwords from other breaches, brute force where there's no rate limit, and product CVEs that only matter once the page is reachable. The difference here is the prize. Behind a CMS login is content. Behind one of these is the whole database and, through the SQL box, frequently the host underneath it.

db.yoursite.com/console
Hasurav
GraphQL
SQL runner
Hasura ·admin secret unset
Reachable from any IP, no login
No password field because there's no password. An unset admin secret means the console and the data API answer everyone.

Reading it from outside

Whether your database client answers the public internet is a question a stranger settles by loading its default path, and it's the one SurfaceCheckr settles for you, from outside, with no credentials. The check fetches only what each tool serves anonymously, matches it against that tool's own content signatures, and reports which ones are reachable and what they fingerprint as. It never submits a login, never runs a query, never touches a row. That's the line: it tells you the door is open and what's behind it, it does not walk through, so it isn't a pentest of your authenticated routes. For a data layer, reachable at all is the finding that has to land first, because it's the one that turns your database into someone else's download.

Point it at your domain and check. If one of these answers, the related reads are the classic database panels like phpMyAdmin and Adminer and the backend-as-a-service consoles that are the database in the same way.

Read next

Find it before someone else does.

Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.