CVE-2026-21856
Unknown Unknown - Not Provided
Time-Based Blind SQL Injection in Tarkov Data Manager APIs

Publication date: 2026-01-07

Last updated on: 2026-02-03

Assigner: GitHub, Inc.

Description
The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, a time based blind SQL injection vulnerability in the webhook edit and scanner api endpoints that allow an authenticated attacker to execute arbitrary SQL queries against the MySQL database. Commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21856
EUVD
EUVD-2026-1401
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
the-hideout tarkov-data-manager to 2.0.0 (exc)
tarkov tarkov_data_manager to 2026-01-02 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include applying the patch from commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 which properly parameterizes the webhook ID in the SQL query to prevent injection. Additionally, ensure all user inputs, including URL parameters like 'id', are safely parameterized following best practices such as those in the OWASP SQL Injection Prevention Cheat Sheet. It is also recommended to audit the database for unauthorized changes due to the potential compromise from this vulnerability. [1, 2]

Executive Summary

CVE-2026-21856 is a high-severity authenticated time-based blind SQL injection vulnerability in the Tarkov Data Manager's webhook edit and scanner API endpoints. Specifically, the PUT /webhooks/:id route improperly interpolates the 'id' parameter from the URL directly into the SQL WHERE clause without sanitization, allowing an authenticated attacker to inject arbitrary SQL commands. This flaw enables attackers to execute arbitrary SQL queries against the MySQL database. [1]

Impact Analysis

An attacker with valid credentials can exploit this vulnerability to read, modify, or delete any data in the MySQL database, potentially leading to full database compromise. This includes unauthorized access to sensitive data, data corruption, or denial of service by affecting database availability. [1]

Detection Guidance

This vulnerability can be detected by attempting a time-based blind SQL injection on the vulnerable webhook edit API endpoint. For example, an authenticated user can send a malicious PUT request to the endpoint /webhooks/:id with a payload that includes a SQL sleep command to observe response delays. A sample test command using curl might be: curl -X PUT -H "Authorization: Bearer <token>" -d '{"field": "value"}' "https://<target>/webhooks/3' AND SLEEP(3)-- -". If the response is delayed by approximately 3 seconds, it indicates the presence of the vulnerability. [1]

Compliance Impact

The vulnerability allows an authenticated attacker to execute arbitrary SQL queries, potentially leading to full database compromise including reading, modifying, or deleting sensitive data. This could result in unauthorized access to personal or protected information, thereby violating data protection regulations such as GDPR or HIPAA. Organizations affected by this vulnerability should assume compromise and audit their databases for unauthorized changes to maintain compliance. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21856. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart