CVE-2026-41478
Saltcorn · Saltcorn
A SQL injection vulnerability in Saltcorn's mobile-sync routes allows authenticated low-privilege users to execute arbitrary queries, leading to potential full database exfiltration.
Executive summary
A critical SQL injection flaw in Saltcorn allows low-privilege authenticated users to extract sensitive database content and compromise system configuration.
Vulnerability
The vulnerability is a SQL injection flaw located within mobile-sync routes. An authenticated user with read access to at least one table can leverage unsanitized sync parameters to inject malicious SQL commands, which are then executed by the backend database.
Business impact
With a CVSS score of 9.9, this vulnerability carries an extremely high risk of data breach. An attacker can extract administrative credentials, configuration secrets, and proprietary business data, or perform destructive database operations, resulting in significant reputational and operational damage.
Remediation
Immediate Action: Update Saltcorn to version 1.4.6, 1.5.6, or 1.6.0-beta.5 depending on your deployment branch.
Proactive Monitoring: Monitor database query logs for anomalous or high-frequency query patterns originating from the mobile-sync endpoints.
Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection rules to inspect and filter malicious traffic directed at sync routes.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the ease with which this vulnerability can be exploited by an authenticated user, patching is mandatory. Administrators should verify their current version and apply the appropriate update immediately to prevent unauthorized data access.