CVE-2026-32969

Received Received - Intake

Pre-Auth Blind SQL Injection in userinfo Endpoint Risks Data Leak

Publication date: 2026-03-23

Last updated on: 2026-03-23

Assigner: CERT VDE

Description

An unauthenticated remote attacker can exploit a Pre-Auth blind SQL Injection vulnerability in the userinfo endpoint’s authentication method due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-23

Last Modified

2026-03-23

Generated

2026-05-07

AI Q&A

2026-03-23

EPSS Evaluated

2026-05-05

NVD

CVE-2026-32969

EUVD

EUVD-2026-14407

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Powered Q&A

Can you explain this vulnerability to me?

This vulnerability is a Pre-Authentication blind SQL Injection in the userinfo endpoint's authentication method. It occurs because special elements in a SQL SELECT command are not properly neutralized, allowing an unauthenticated remote attacker to exploit it.

How can this vulnerability impact me? :

Exploitation of this vulnerability can lead to a total loss of confidentiality, meaning sensitive data could be exposed to unauthorized parties.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know

What immediate steps should I take to mitigate this vulnerability?

I don't know

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2026-32969

Pre-Auth Blind SQL Injection in userinfo Endpoint Risks Data Leak

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Powered Q&A

Ask Our AI Assistant

EPSS Chart