CVE-2026-4317

Deferred Deferred - Pending Action

SQL Injection in Umami Software Allows Authenticated Data Compromise

Publication date: 2026-03-31

Last updated on: 2026-05-19

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description

SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as 'prisma.rawQuery', 'prisma.$queryRawUnsafe' or raw queries with 'ClickHouse'). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-31

Last Modified

2026-05-19

Generated

2026-06-16

AI Q&A

2026-03-31

EPSS Evaluated

2026-06-15

NVD

CVE-2026-4317

EUVD

EUVD-2026-17349

Affected Vendors & Products

Vendor	Product	Version / Range
umami_software	umami	to 3.0.3 (exc)
umami_software	umami	3.0.3

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-4317 is a critical SQL injection vulnerability in the Umami Software web application version 3.0.2, an analytics platform.

The vulnerability arises because the application improperly sanitizes the 'timezone' request parameter. An authenticated attacker can manipulate this parameter by injecting malicious SQL payloads.

The application uses unsafe methods such as 'prisma.rawQuery', 'prisma.$queryRawUnsafe', or raw queries with ClickHouse to directly interpolate this parameter into SQL queries without adequate filtering or sanitization.

This allows an attacker with limited privileges to execute arbitrary SQL commands on the database, potentially compromising its integrity and executing dangerous functions.

Impact Analysis

Exploiting this vulnerability allows an authenticated attacker to execute arbitrary SQL commands on the database.

Compromise the integrity of the database.
Execute dangerous functions that could lead to data loss, data corruption, or unauthorized data access.
Potentially escalate privileges or disrupt the normal operation of the application.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing requests to the Umami Software application, specifically looking for unusual or malicious input in the 'timezone' request parameter.

Since the vulnerability involves SQL injection through the 'timezone' parameter, you can attempt to detect it by sending crafted requests with SQL payloads to this parameter and observing the application's response.

For example, you can use curl commands to test the parameter for SQL injection:

curl -X POST 'http://<target>/api/endpoint' -d "timezone=' OR '1'='1"
curl -X POST 'http://<target>/api/endpoint' -d "timezone='; DROP TABLE users; --"

Additionally, monitoring database logs for unusual queries or errors related to the 'timezone' parameter can help detect exploitation attempts.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Umami Software application to version 3.0.3 or later, where the issue has been fixed.

Until the upgrade can be applied, restrict access to the application to trusted authenticated users only, as the vulnerability requires authentication to exploit.

Implement input validation and sanitization on the 'timezone' parameter to prevent malicious SQL payloads from being executed.

Consider using parameterized queries or safe query methods instead of unsafe raw queries like 'prisma.rawQuery' or 'prisma.$queryRawUnsafe'.

Compliance Impact

The SQL injection vulnerability in Umami Software allows an authenticated attacker to execute arbitrary SQL commands, potentially compromising the integrity and confidentiality of the database.

Such a compromise could lead to unauthorized access, modification, or disclosure of sensitive data, which may result in non-compliance with data protection regulations and standards like GDPR and HIPAA that require safeguarding personal and sensitive information.

Therefore, exploitation of this vulnerability could negatively impact compliance by exposing protected data or failing to maintain its integrity and confidentiality as mandated by these regulations.

Hi! I’m here to help you understand CVE-2026-4317. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-4317

SQL Injection in Umami Software Allows Authenticated Data Compromise

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart