CVE-2026-25773
Second-Order SQL Injection in Focalboard Category Reordering
Publication date: 2026-04-03
Last updated on: 2026-04-28
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | focalboard | 8.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Second-Order SQL Injection in Focalboard version 8.0. It occurs because the software fails to sanitize category IDs before using them in dynamic SQL statements when reordering categories.
An attacker who is authenticated can inject malicious SQL code into the category ID field. This malicious payload is stored in the database and later executed without proper sanitization when the category reorder API processes it.
This type of attack is time-based blind SQL injection, meaning the attacker can infer data by observing the time the system takes to respond.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to exfiltrate sensitive data from the system.
Specifically, the attacker can retrieve sensitive information such as password hashes of other users.
Because the attack exploits a SQL injection flaw, it can compromise the confidentiality and integrity of the database without causing denial of service.
What immediate steps should I take to mitigate this vulnerability?
Focalboard version 8.0 is vulnerable to a Second-Order SQL Injection due to failure to sanitize category IDs. Since Focalboard as a standalone product is not maintained and no fix will be issued, immediate mitigation steps include:
- Restrict access to the Focalboard application to only trusted and authenticated users to reduce the risk of exploitation.
- Monitor and audit usage of the category reorder API to detect suspicious activity.
- Consider migrating to alternative project management tools that are actively maintained and do not have this vulnerability.
- Implement network-level protections such as web application firewalls (WAF) to detect and block SQL injection attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker to perform a Second-Order SQL Injection, which can lead to the exfiltration of sensitive data including password hashes of other users.
Such unauthorized access and potential data leakage could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information.
However, the provided information does not explicitly discuss compliance impacts or specific regulatory considerations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a Second-Order SQL Injection in Focalboard version 8.0, where malicious SQL payloads can be injected into category IDs and later executed unsanitized. Detection would involve monitoring for unusual or suspicious SQL queries related to category reordering or inspecting the category ID fields for injected SQL payloads.
Since the vulnerability requires authentication and targets the category reorder API, detection can include reviewing logs for abnormal API requests or unexpected database queries involving category IDs.
Specific commands to detect this vulnerability are not provided in the available context or resources.