CVE-2026-5147
Received Received - Intake
SQL Injection in YunaiV yudao-cloud /admin-api Remote Exploit

Publication date: 2026-03-30

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This affects an unknown part of the file /admin-api/system/tenant/get-by-website. The manipulation of the argument Website results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-29
Generated
2026-05-27
AI Q&A
2026-03-30
EPSS Evaluated
2026-05-25
NVD
CVE-2026-5147
EUVD
EUVD-2026-17168
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-5147 is a security vulnerability in the yudao-cloud project version v2026.01 involving SQL injection attacks. Specifically, it affects the /admin-api/system/tenant/get-by-website endpoint, where an attacker can manipulate the 'website' parameter to perform a SQL Boolean Blind Injection without needing to authenticate.

This means an attacker can send specially crafted requests that alter the SQL queries executed by the backend database, potentially allowing them to extract sensitive information or manipulate the database.

Additionally, there is a related SQL Blind Injection vulnerability in the /admin-api/system/mail-log/page endpoint, which requires authentication but can be exploited due to weak default credentials (admin/admin123). This allows time-based blind SQL injection attacks to extract data by measuring response delays.


How can this vulnerability impact me? :

This vulnerability can have serious impacts including unauthorized access to sensitive database information, data leakage, and potential compromise of the backend database.

Because the injection can be performed remotely and without authentication on one endpoint, attackers can exploit it easily to gather information or manipulate data.

The presence of weak default credentials on another endpoint further increases the risk, allowing attackers to perform time-based blind SQL injection attacks to extract data.

Overall, exploitation could lead to data breaches, loss of data integrity, and disruption of service.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

The vulnerability can be detected by testing the affected endpoints for SQL injection using crafted requests that manipulate the 'website' parameter or other vulnerable parameters.

  • For the unauthenticated SQL Boolean Blind Injection in `/admin-api/system/tenant/get-by-website`, you can send a request like: `/admin-api/system/tenant/get-by-website?website=8.138.89.15:8888'%27AND(IF(06339=6338,1,(select table_name from information_schema.tables)))AND'%27Z` and observe the response behavior.
  • Use sqlmap, a popular SQL injection tool, to automate detection of the injection vulnerability on this endpoint.
  • For the authenticated SQL Blind Injection in `/admin-api/system/mail-log/page`, after logging in with default credentials (`admin/admin123`), send a request like: `GET /admin-api/system/mail-log/page?pageNo=1&pageSize=10&toMail='and(select*from(select+sleep(10))a/**/union/**/select+1)=' HTTP/1.1` and measure if the response is delayed by 10 seconds, indicating a time-based blind SQL injection.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the vulnerable endpoints, especially the unauthenticated ones, and changing or disabling weak default credentials such as 'admin/admin123' to prevent authenticated exploitation.

Additionally, monitor and block suspicious requests that attempt SQL injection payloads targeting the affected APIs.

Applying input validation and parameterized queries in the application code to prevent SQL injection is critical, though this may require vendor patches or code updates.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The CVE-2026-5147 vulnerability allows attackers to perform SQL injection attacks on the yudao-cloud system, potentially leading to unauthorized access to sensitive data stored in the backend database.

Such unauthorized data access and potential data breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and disclosure.

Therefore, exploitation of this vulnerability could lead to violations of these standards due to compromised confidentiality, integrity, and availability of protected data.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart