CVE-2026-25773
Received Received - Intake
Second-Order SQL Injection in Focalboard Category Reordering

Publication date: 2026-04-03

Last updated on: 2026-04-28

Assigner: Mattermost, Inc.

Description
** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25773
EUVD
EUVD-2026-18651
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mattermost focalboard 8.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an authenticated attacker to perform a Second-Order SQL Injection, which can lead to the exfiltration of sensitive data including password hashes of other users.

Such unauthorized access and potential data leakage could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory considerations.

Executive Summary

This vulnerability is a Second-Order SQL Injection in Focalboard version 8.0. It occurs because the software fails to sanitize category IDs before using them in dynamic SQL statements when reordering categories.

An attacker who is authenticated can inject malicious SQL code into the category ID field. This malicious payload is stored in the database and later executed without proper sanitization when the category reorder API processes it.

This type of attack is time-based blind SQL injection, meaning the attacker can infer data by observing the time the system takes to respond.

Impact Analysis

This vulnerability allows an authenticated attacker to exfiltrate sensitive data from the system.

Specifically, the attacker can retrieve sensitive information such as password hashes of other users.

Because the attack exploits a SQL injection flaw, it can compromise the confidentiality and integrity of the database without causing denial of service.

Mitigation Strategies

Focalboard version 8.0 is vulnerable to a Second-Order SQL Injection due to failure to sanitize category IDs. Since Focalboard as a standalone product is not maintained and no fix will be issued, immediate mitigation steps include:

  • Restrict access to the Focalboard application to only trusted and authenticated users to reduce the risk of exploitation.
  • Monitor and audit usage of the category reorder API to detect suspicious activity.
  • Consider migrating to alternative project management tools that are actively maintained and do not have this vulnerability.
  • Implement network-level protections such as web application firewalls (WAF) to detect and block SQL injection attempts.
Detection Guidance

This vulnerability involves a Second-Order SQL Injection in Focalboard version 8.0, where malicious SQL payloads can be injected into category IDs and later executed unsanitized. Detection would involve monitoring for unusual or suspicious SQL queries related to category reordering or inspecting the category ID fields for injected SQL payloads.

Since the vulnerability requires authentication and targets the category reorder API, detection can include reviewing logs for abnormal API requests or unexpected database queries involving category IDs.

Specific commands to detect this vulnerability are not provided in the available context or resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25773. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart