CVE-2026-32969

Received Received - Intake

Pre-Auth Blind SQL Injection in userinfo Endpoint Risks Data Leak

Publication date: 2026-03-23

Last updated on: 2026-03-23

Assigner: CERT VDE

Description

An unauthenticated remote attacker can exploit a Pre-Auth blind SQL Injection vulnerability in the userinfo endpoint’s authentication method due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-23

Last Modified

2026-03-23

Generated

2026-06-16

AI Q&A

2026-03-23

EPSS Evaluated

2026-06-15

NVD

CVE-2026-32969

EUVD

EUVD-2026-14407

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability is a Pre-Authentication blind SQL Injection in the userinfo endpoint's authentication method. It occurs because special elements in a SQL SELECT command are not properly neutralized, allowing an unauthenticated remote attacker to exploit it.

Impact Analysis

Exploitation of this vulnerability can lead to a total loss of confidentiality, meaning sensitive data could be exposed to unauthorized parties.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Hi! I’m here to help you understand CVE-2026-32969. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-32969

Pre-Auth Blind SQL Injection in userinfo Endpoint Risks Data Leak

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart