CVE-2026-34455
SQL Injection in Hi.Events Repository Classes Enables Stacked Queries
Publication date: 2026-04-01
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hi.events | hi.events | From 0.8.0 (inc) to 1.7.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34455 is a high-severity SQL Injection vulnerability in the Hi.Events open-source event management platform. The issue occurs because multiple repository classes pass the user-supplied `sort_by` query parameter directly to Eloquent's `orderBy()` method without validating it. Since the application uses PostgreSQL, which supports stacked queries, this lack of validation allows attackers to inject malicious SQL commands.
The root cause is that non-admin repository classes do not validate the `sort_by` parameter against a whitelist of allowed sort fields, even though such a whitelist method (`getAllowedSorts()`) exists and is used in admin endpoints. This flaw enables an authenticated organizer to perform SQL injection by manipulating the `sort_by` parameter.
The vulnerability was fixed by introducing validation methods that check the `sort_by` and `sort_direction` parameters against allowlists defined in domain objects. If invalid values are provided, the system falls back to default sorting parameters, preventing injection attacks.
How can this vulnerability impact me? :
This vulnerability can have serious impacts because it allows an authenticated organizer to execute arbitrary SQL commands on the database via the `sort_by` parameter. Since PostgreSQL supports stacked queries, attackers can run multiple SQL statements in a single query.
Potential impacts include unauthorized data access and exfiltration, such as sensitive personally identifiable information (PII) of attendees, payment data, and promo codes. This could lead to data breaches, loss of confidentiality, and compromise of the event management system's integrity.
A proof of concept demonstrated a time-based blind SQL injection attack that caused a delay in the server response, confirming the ability to execute injected SQL commands.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if the application improperly handles the `sort_by` query parameter in API requests, allowing SQL injection. A proof of concept involves sending a specially crafted request with a SQL payload in the `sort_by` parameter and observing the response delay caused by the injected query.
For example, an authenticated organizer can send a request like:
- GET /api/events/{id}/attendees?sort_by=id; SELECT pg_sleep(5)--
If the response is delayed by approximately 5 seconds, it indicates successful SQL injection exploitation, confirming the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Hi.Events application to version 1.7.1-beta or later, where the vulnerability has been patched.
The patch enforces strict validation of the `sort_by` and `sort_direction` parameters against allowlists defined in domain objects, preventing unsafe inputs from reaching the database query.
If upgrading is not immediately possible, as a temporary measure, restrict access to the affected endpoints to trusted users only, and monitor for suspicious query parameters that include SQL syntax.
Long-term mitigation involves ensuring that all user-supplied inputs used in database queries are validated against allowlists or sanitized properly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows SQL injection attacks that can lead to unauthorized access and potential exfiltration of sensitive data such as personally identifiable information (PII), payment data, and promo codes stored in the Hi.Events platform.
Such unauthorized data exposure could result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over the confidentiality and integrity of personal and sensitive information.
Because exploitation requires an authenticated organizer role and can lead to data leakage through stacked queries in PostgreSQL, this vulnerability poses a significant risk to maintaining compliance with these standards.