CVE-2026-24494

Received Received - Intake

SQL Injection in Order Up API Allows Unauthorized Data Access

Publication date: 2026-02-23

Last updated on: 2026-02-23

Assigner: 66fe30d5-b042-4547-a192-c18da4c41a81

Description

SQL Injection vulnerability in the /api/integrations/getintegrations endpoint of Order Up Online Ordering System 1.0 allows an unauthenticated attacker to access sensitive backend database data via a crafted store_id parameter in a POST request.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-23

Last Modified

2026-02-23

Generated

2026-06-16

AI Q&A

2026-02-23

EPSS Evaluated

2026-06-15

NVD

CVE-2026-24494

EUVD

EUVD-2026-7599

Affected Vendors & Products

Vendor	Product	Version / Range
order_up	online_ordering_system	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-24494 is a critical SQL Injection vulnerability found in the Order Up Online Ordering System version 1.0. It occurs in the /api/integrations/getintegrations endpoint, where the application improperly handles the user-supplied store_id parameter in a POST request.

Because the system does not perform adequate server-side validation and fails to use parameterized queries, an unauthenticated attacker can inject malicious SQL code directly into backend database queries.

Security testing confirmed this vulnerability using boolean-based and time-based blind SQL Injection techniques, allowing attackers to control query execution and extract sensitive data.

Impact Analysis

Exploitation of this vulnerability allows unauthenticated attackers to access and extract highly sensitive backend database information, including administrative account password hashes and critical API keys.

Attackers can enumerate database structures and gain full control over application data and administrative functions, potentially leading to data breaches, unauthorized access, and disruption of services.

Because no authentication is required to exploit this flaw, the risk and impact are very high, making it critical to address immediately.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by performing security testing on the /api/integrations/getintegrations endpoint using both boolean-based and time-based blind SQL Injection techniques.'}, {'type': 'paragraph', 'content': 'Boolean-based tests involve sending crafted POST requests with the store_id parameter set to SQL conditions that evaluate to true or false, and observing variations in application responses.'}, {'type': 'paragraph', 'content': 'Time-based tests involve injecting SQL statements that cause controlled delays in the server response, confirming execution of injected code even if no error messages are shown.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to send POST requests to /api/integrations/getintegrations with crafted store_id parameters to test for SQL Injection.'}, {'type': 'list_item', 'content': "Example command for boolean-based test: curl -X POST -d 'store_id=1 AND 1=1' https://target/api/integrations/getintegrations"}, {'type': 'list_item', 'content': "Example command for time-based test: curl -X POST -d 'store_id=1; WAITFOR DELAY '00:00:05'' https://target/api/integrations/getintegrations"}] [1]

Mitigation Strategies

Immediate mitigation steps include coordinating with the vendor to apply patches that fix the vulnerability.

Deploying a Web Application Firewall (WAF) can provide additional protection by filtering malicious requests targeting the vulnerable endpoint.

Long-term remediation should include implementing parameterized queries or prepared statements, enforcing strict server-side input validation, applying least-privilege principles to database access, and suppressing verbose SQL error messages.

Hi! I’m here to help you understand CVE-2026-24494. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-24494

SQL Injection in Order Up API Allows Unauthorized Data Access

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart