An unauthenticated SQL injection vulnerability in Homey BNB V4 allows attackers to gain full access to the application's database, posing a critical risk to data privacy.

The vulnerability is an unauthenticated SQL injection flaw within the 'hosting_id' parameter of Homey BNB V4. This allows a remote attacker to bypass security controls and execute arbitrary SQL commands against the backend database without requiring any login credentials.

The impact of this vulnerability is severe, potentially resulting in the complete exfiltration of the database, including user information, booking details, and administrative credentials. The CVSS score of 8.2 and the unauthenticated nature of the attack elevate the urgency of this late-disclosure vulnerability.

Immediate Action: Apply the vendor-supplied patches for Homey BNB V4 immediately. If a patch is not available, consider taking the affected service offline until it can be secured.

Proactive Monitoring: Thoroughly audit database logs for evidence of past exploitation, specifically looking for unauthorized access to sensitive tables or unusual activity linked to the 'hosting_id' parameter.

Compensating Controls: Deploy a WAF with aggressive SQL injection filtering and restrict database access to the minimum required permissions.

Public Exploit Available: false

This vulnerability must be remediated with the highest priority. The ability for unauthenticated attackers to manipulate the database represents a critical failure in security that can only be resolved through immediate patching or system replacement.