CVE-2026-4317
SQL Injection in Umami Software Allows Authenticated Data Compromise
Publication date: 2026-03-31
Last updated on: 2026-03-31
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| umami_software | umami | to 3.0.3 (exc) |
| umami_software | umami | 3.0.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4317 is a critical SQL injection vulnerability in the Umami Software web application version 3.0.2, an analytics platform.
The vulnerability arises because the application improperly sanitizes the 'timezone' request parameter. An authenticated attacker can manipulate this parameter by injecting malicious SQL payloads.
The application uses unsafe methods such as 'prisma.rawQuery', 'prisma.$queryRawUnsafe', or raw queries with ClickHouse to directly interpolate this parameter into SQL queries without adequate filtering or sanitization.
This allows an attacker with limited privileges to execute arbitrary SQL commands on the database, potentially compromising its integrity and executing dangerous functions.
How can this vulnerability impact me? :
Exploiting this vulnerability allows an authenticated attacker to execute arbitrary SQL commands on the database.
- Compromise the integrity of the database.
- Execute dangerous functions that could lead to data loss, data corruption, or unauthorized data access.
- Potentially escalate privileges or disrupt the normal operation of the application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and analyzing requests to the Umami Software application, specifically looking for unusual or malicious input in the 'timezone' request parameter.
Since the vulnerability involves SQL injection through the 'timezone' parameter, you can attempt to detect it by sending crafted requests with SQL payloads to this parameter and observing the application's response.
For example, you can use curl commands to test the parameter for SQL injection:
- curl -X POST 'http://<target>/api/endpoint' -d "timezone=' OR '1'='1"
- curl -X POST 'http://<target>/api/endpoint' -d "timezone='; DROP TABLE users; --"
Additionally, monitoring database logs for unusual queries or errors related to the 'timezone' parameter can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the Umami Software application to version 3.0.3 or later, where the issue has been fixed.
Until the upgrade can be applied, restrict access to the application to trusted authenticated users only, as the vulnerability requires authentication to exploit.
Implement input validation and sanitization on the 'timezone' parameter to prevent malicious SQL payloads from being executed.
Consider using parameterized queries or safe query methods instead of unsafe raw queries like 'prisma.rawQuery' or 'prisma.$queryRawUnsafe'.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in Umami Software allows an authenticated attacker to execute arbitrary SQL commands, potentially compromising the integrity and confidentiality of the database.
Such a compromise could lead to unauthorized access, modification, or disclosure of sensitive data, which may result in non-compliance with data protection regulations and standards like GDPR and HIPAA that require safeguarding personal and sensitive information.
Therefore, exploitation of this vulnerability could negatively impact compliance by exposing protected data or failing to maintain its integrity and confidentiality as mandated by these regulations.