CVE-2026-56689

Dell · PowerFlex Manager

Dell PowerFlex Manager contains an SQL injection vulnerability that may allow authenticated low-privileged users to perform unauthorized data read operations.

Executive summary

A high-severity SQL injection vulnerability in Dell PowerFlex Manager enables authenticated attackers to perform unauthorized database queries.

Vulnerability

This flaw (CWE-89) involves improper neutralization of SQL command elements. An authenticated user can leverage this vulnerability to execute arbitrary read-only queries against the application database.

Business impact

Successful exploitation poses a risk to data confidentiality, as attackers can extract sensitive information stored within the PowerFlex Manager database. With a CVSS score of 7.7, this vulnerability represents a serious security oversight that must be addressed to prevent unauthorized data exfiltration.

Remediation

Immediate Action: Apply the vendor security updates by upgrading to version 5.1.0.1 or 4.5.5.2 or later.

Proactive Monitoring: Monitor management console logs for suspicious database query activity or unauthorized access attempts by standard users.

Compensating Controls: Utilize a WAF to inspect and block inputs containing SQL-specific characters or keywords that deviate from normal operational parameters.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The risk posed by this SQL injection vulnerability necessitates prompt action. Security teams must ensure that all instances of Dell PowerFlex Manager are updated to the latest secure versions to mitigate the risk of unauthorized data exposure.