Wiz Research recently identified a publicly accessible ClickHouse database belonging to DeepSeek, granting unrestricted control over database operations and exposing highly sensitive information. The breach included over a million log streams containing chat history, secret keys, backend details, and other confidential data. Upon discovery, Wiz Research promptly informed DeepSeek, which quickly secured the vulnerability.
Executive Summary DeepSeek, a Chinese AI startup, has attracted significant media attention with its innovative AI models, especially the DeepSeek-R1 reasoning model. This model competes with leading AI systems like OpenAI’s GPT-4 in performance and is praised for its cost-effectiveness and efficiency. As DeepSeek gained prominence in the AI sector, Wiz Research initiated an external security assessment to uncover potential vulnerabilities.
Wiz Team discovered a publicly accessible, fully open, and unauthenticated ClickHouse database linked to DeepSeek. The exposed database, hosted at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000, contained vast amounts of sensitive data, including chat history, backend details, log streams, API secrets, and operational information.
Critically, this exposure allowed for complete database control and potential privilege escalation within DeepSeek’s environment, with no authentication or defense mechanisms in place.
Exposure Walkthrough
The reconnaissance began by assessing DeepSeek’s publicly accessible domains. By mapping the external attack surface using straightforward reconnaissance techniques (passive and active discovery of subdomains), the team identified approximately 30 internet-facing subdomains. Most appeared benign, hosting elements like the chatbot interface, status page, and API documentation—none of which initially indicated high-risk exposure.
However, expanding the search beyond standard HTTP ports (80/443), two unusual, open ports (8123 & 9000) associated with the following hosts were detected:
http://oauth2callback.deepseek.com:8123
http://dev.deepseek.com:8123
http://oauth2callback.deepseek.com:9000
http://dev.deepseek.com:9000
Further investigation revealed that these ports led to a publicly exposed ClickHouse database, accessible without authentication—an immediate red flag.
Using ClickHouse’s HTTP interface, the Wiz Team accessed the /play path, allowing direct execution of arbitrary SQL queries via the browser. A simple SHOW TABLES query returned a complete list of accessible datasets. ClickHouse, an open-source columnar database management system for fast analytical queries on large datasets, is widely used for real-time data processing and big data analytics. Given ClickHouse’s capabilities, this exposure represents a significant security lapse.
The unsecured ClickHouse instances reportedly held over a million log entries containing user chat history in plaintext, API keys, backend details, and operational metadata. One table stood out: log_stream, which included extensive logs with highly sensitive data.
The log_stream table included over 1 million entries with particularly revealing columns:
- timestamp: Logs dating from January 6, 2025
- span_name: References to various internal DeepSeek API endpoints
- string.values: Plaintext logs, including Chat History, API Keys, backend details, and operational metadata
- _service: Indicating which DeepSeek service generated the logs
- _source: Exposing the origin of log requests, including Chat History, API Keys, directory structures, and chatbot metadata logs
Wiz Research discovered this exposure during a security assessment of DeepSeek’s external infrastructure. The security firm found two publicly accessible database instances at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000 that allowed arbitrary SQL queries via a web interface without requiring authentication.
The databases contained a ‘log_stream’ table storing sensitive internal logs dating from January 6, 2025, including:
- User queries to DeepSeek’s chatbot
- Keys used by backend systems to authenticate API calls
- Internal infrastructure and services information
- Various operational metadata
“This level of access posed a critical risk to DeepSeek’s security and end-users,” commented Wiz Research.
Depending on ClickHouse’s configuration, an attacker could retrieve sensitive logs and plaintext chat messages and potentially exfiltrate plaintext passwords, local files, and proprietary information directly from the server using queries like SELECT * FROM file(‘filename’).
Wiz limited its exploration to enumeration to adhere to ethical research practices. It remains unclear whether Wiz researchers were the first to discover this exposure or if malicious actors have already exploited it.
This incident underscores a recurring issue in the tech industry: the balance between rapid innovation and robust security practices. While DeepSeek’s AI advancements are commendable, this oversight reveals a concerning gap in their security protocols. As AI models increasingly integrate into critical applications, safeguarding data isn’t just about protecting company assets—it’s about ensuring user trust and industry integrity. This breach should serve as a wake-up call for all organizations handling sensitive data to assess and fortify their external security postures rigorously.