CVE-2026-4317

SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as 'prisma.rawQuery', 'prisma.$queryRawUnsafe' or raw queries with 'ClickHouse'). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions.

CVSS

No CVSS.

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/sql-inyection-umami-software-application

Configurations

No configuration.

History

01 Apr 2026, 14:24

Type	Values Removed	Values Added
Summary		(es) Vulnerabilidad de inyección SQL (SQLi) en la aplicación web de Umami Software a través de un parámetro incorrectamente saneado, lo que podría permitir a un atacante autenticado ejecutar comandos SQL arbitrarios en la base de datos. Específicamente, podrían manipular el valor del parámetro de solicitud 'timezone' incluyendo caracteres maliciosos y una carga útil SQL. La aplicación interpolaría estos valores directamente en la consulta SQL sin realizar primero un filtrado o saneamiento adecuado (por ejemplo, utilizando funciones como 'prisma.rawQuery', 'prisma.$queryRawUnsafe' o consultas sin procesar con 'ClickHouse'). La explotación exitosa de esta vulnerabilidad podría permitir a un atacante autenticado comprometer los datos de la base de datos y ejecutar funciones peligrosas.

31 Mar 2026, 10:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-31 10:16

Updated : 2026-05-19 15:43

NVD link : CVE-2026-4317

Mitre link : CVE-2026-4317

CVE.ORG link : CVE-2026-4317

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-4317", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-31T10:16:19.153", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/sql-inyection-umami-software-application", "source": "cve-coordination@incibe.es"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as 'prisma.rawQuery', 'prisma.$queryRawUnsafe' or raw queries with 'ClickHouse'). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL (SQLi) en la aplicaci\u00f3n web de Umami Software a trav\u00e9s de un par\u00e1metro incorrectamente saneado, lo que podr\u00eda permitir a un atacante autenticado ejecutar comandos SQL arbitrarios en la base de datos. Espec\u00edficamente, podr\u00edan manipular el valor del par\u00e1metro de solicitud 'timezone' incluyendo caracteres maliciosos y una carga \u00fatil SQL. La aplicaci\u00f3n interpolar\u00eda estos valores directamente en la consulta SQL sin realizar primero un filtrado o saneamiento adecuado (por ejemplo, utilizando funciones como 'prisma.rawQuery', 'prisma.$queryRawUnsafe' o consultas sin procesar con 'ClickHouse'). La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir a un atacante autenticado comprometer los datos de la base de datos y ejecutar funciones peligrosas."}], "lastModified": "2026-05-19T15:43:28.500", "sourceIdentifier": "cve-coordination@incibe.es"}