CVE-2026-21856
Time-Based Blind SQL Injection in Tarkov Data Manager APIs
Publication date: 2026-01-07
Last updated on: 2026-02-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| the-hideout | tarkov-data-manager | to 2.0.0 (exc) |
| tarkov | tarkov_data_manager | to 2026-01-02 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker to execute arbitrary SQL queries, potentially leading to full database compromise including reading, modifying, or deleting sensitive data. This could result in unauthorized access to personal or protected information, thereby violating data protection regulations such as GDPR or HIPAA. Organizations affected by this vulnerability should assume compromise and audit their databases for unauthorized changes to maintain compliance. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patch from commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 which properly parameterizes the webhook ID in the SQL query to prevent injection. Additionally, ensure all user inputs, including URL parameters like 'id', are safely parameterized following best practices such as those in the OWASP SQL Injection Prevention Cheat Sheet. It is also recommended to audit the database for unauthorized changes due to the potential compromise from this vulnerability. [1, 2]
Can you explain this vulnerability to me?
CVE-2026-21856 is a high-severity authenticated time-based blind SQL injection vulnerability in the Tarkov Data Manager's webhook edit and scanner API endpoints. Specifically, the PUT /webhooks/:id route improperly interpolates the 'id' parameter from the URL directly into the SQL WHERE clause without sanitization, allowing an authenticated attacker to inject arbitrary SQL commands. This flaw enables attackers to execute arbitrary SQL queries against the MySQL database. [1]
How can this vulnerability impact me? :
An attacker with valid credentials can exploit this vulnerability to read, modify, or delete any data in the MySQL database, potentially leading to full database compromise. This includes unauthorized access to sensitive data, data corruption, or denial of service by affecting database availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting a time-based blind SQL injection on the vulnerable webhook edit API endpoint. For example, an authenticated user can send a malicious PUT request to the endpoint /webhooks/:id with a payload that includes a SQL sleep command to observe response delays. A sample test command using curl might be: curl -X PUT -H "Authorization: Bearer <token>" -d '{"field": "value"}' "https://<target>/webhooks/3' AND SLEEP(3)-- -". If the response is delayed by approximately 3 seconds, it indicates the presence of the vulnerability. [1]