A Time-Based Blind SQL Injection vulnerability in the alias_management module of OpenSIPS Control Panel (opensips-cp) prior to version 9
Description
A Time-Based Blind SQL Injection vulnerability in the alias_management module of OpenSIPS Control Panel (opensips-cp) prior to version 9
AI Analyst Comment
Remediation
Apply vendor patches immediately. Review database access controls and enable query logging.
---METADATA---
VENDOR: OpenSIPS
PRODUCT: Control Panel (opensips-cp)
AFFECTED_VERSIONS: prior to version 9.3.3
---END_METADATA---
Description Summary:
A Time-Based Blind SQL Injection vulnerability exists in the alias_management module of the OpenSIPS Control Panel.
Executive Summary:
An authenticated SQL injection vulnerability in OpenSIPS Control Panel allows attackers to extract sensitive database information via the alias_management module.
Vulnerability Details
CVE-ID: CVE-2026-36670
Affected Software: OpenSIPS Control Panel
Affected Versions: prior to version 9.3.3
Vulnerability: The alias_management module fails to properly sanitize user inputs, enabling a Time-Based Blind SQL Injection. An authenticated attacker can execute arbitrary SQL commands by manipulating parameters within this module.
Business Impact
With a CVSS score of 8.8, this vulnerability poses a severe risk of data breach and unauthorized database modification. Successful exploitation could lead to full database compromise, where sensitive configuration or user data is exfiltrated or manipulated, undermining the security of the entire telephony infrastructure.
Remediation Plan
Immediate Action: Update OpenSIPS Control Panel to version 9.3.3 or later immediately.
Proactive Monitoring: Enable database query logging and monitor for unusual query execution times, which are indicative of time-based injection attacks.
Compensating Controls: Use a Web Application Firewall (WAF) with SQL injection detection rules to inspect and block malicious input directed at the alias_management module.
Exploitation Status
Public Exploit Available: true
Analyst Notes: As of June 17, 2026, a public exploit is available for this vulnerability. Given the ease of exploitation, the risk to unpatched systems is critical.
Analyst Recommendation
The availability of a public exploit significantly elevates the risk associated with this vulnerability. Organizations using OpenSIPS Control Panel must upgrade to version 9.3.3 immediately. Security teams should perform a forensic review of database logs to determine if unauthorized access has already occurred.