CVE-2026-33545
SQL Injection in MobSF read_sqlite() Enables Denial of Service
Publication date: 2026-03-26
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensecurity | mobile_security_framework | to 4.4.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33545 is a SQL Injection vulnerability in the Mobile Security Framework (MobSF), specifically in the `read_sqlite()` function used to read SQLite database table names. The function uses unsafe Python string formatting to construct SQL queries with table names read directly from the database's `sqlite_master` table without proper sanitization or parameterization.
Because the table names come from the SQLite database itself, a malicious mobile application can embed crafted table names containing SQL injection payloads. When MobSF analyzes such a malicious app and attempts to query these tables, the unsafe string formatting allows the injection of SQL code.
This leads to two main issues: denial of service (DoS) by causing the database viewer to crash due to syntax errors from injected payloads, and potential SQL injection via UNION SELECT statements that could return attacker-controlled data. The vulnerability was patched in MobSF version 4.4.6 by properly quoting identifiers and escaping embedded quotes to prevent injection.
How can this vulnerability impact me? :
This vulnerability can impact users by causing denial of service (DoS) when analyzing malicious mobile applications with MobSF. The crafted SQLite database table names cause the database viewer to crash, preventing security analysts from viewing any database content.
This DoS can be exploited by attackers to hide sensitive data such as command-and-control server URLs, stolen credentials, or API keys from being detected during security analysis.
Additionally, although limited by current execution order, the vulnerability allows SQL injection that could potentially return attacker-controlled data, undermining the reliability of MobSF as a security analysis tool.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is triggered when MobSF analyzes a malicious mobile application containing a crafted SQLite database with malicious table names. Detection involves observing crashes or denial of service in MobSF's SQLite database viewer when viewing database files from analyzed apps.
A practical detection method is to run the provided proof-of-concept (PoC) scripts and files, such as `poc_sqlite_injection.py` and `malicious.db`, to verify if MobSF versions prior to 4.4.6 are vulnerable.
There are no specific network commands provided, but monitoring MobSF logs for exceptions or crashes when viewing SQLite databases can indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade MobSF to version 4.4.6 or later, where the vulnerability has been patched.
The patch replaces unsafe string formatting with properly escaped and quoted SQL identifiers, preventing SQL injection.
Additionally, the update opens SQLite databases in read-only mode to prevent unintended modifications and includes other security hardening measures.
Until upgrading, avoid analyzing untrusted or suspicious mobile applications that may contain crafted SQLite databases to reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in MobSF allows denial of service and potential SQL injection when analyzing malicious mobile applications containing crafted SQLite databases. This can enable attackers to hide sensitive data such as command-and-control server URLs, stolen credentials, or API keys from security analysts.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability for attackers to hide sensitive data from analysis tools could indirectly impact compliance by undermining the effectiveness of security assessments and incident response.
Therefore, organizations relying on MobSF for mobile application security testing might face increased risk of undetected data exposure or breaches, which could affect their compliance posture with regulations requiring protection of personal or sensitive data.