CVE-2026-5736
SQL Injection in PowerJob InstanceController Enables Remote Exploitation
Publication date: 2026-04-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tech | powerjob | 5.1.0 |
| tech | powerjob | 5.1.1 |
| tech | powerjob | 5.1.2 |
| tech | powerjob | From 5.1.0 (inc) to 5.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5736 is a critical vulnerability in PowerJob versions 5.1.0 through 5.1.2 that allows unauthenticated remote code execution via SQL injection. The vulnerability arises from two main issues in the `/instance/detailPlus` API endpoint: first, the `getInstanceDetailPlus` method lacks authentication and permission checks, allowing anyone to access it without credentials; second, the `customQuery` parameter is vulnerable to SQL injection because the blacklist filtering dangerous SQL keywords is incomplete and misses critical H2 database commands like RUNSCRIPT, CALL, LINK, and SCRIPT.
Attackers can exploit this by sending specially crafted SQL commands through the `customQuery` parameter, which the H2 database engine executes. This can lead to arbitrary code execution on the server, including running remote scripts and system commands. The vulnerability is exacerbated by the fact that the endpoint does not enforce permission checks, and the blacklist filtering is based on simple substring matching, which can be bypassed.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to remotely execute arbitrary system commands on the server running PowerJob. This can lead to full compromise of the affected system, including unauthorized data access, data modification, service disruption, and potential lateral movement within the network.
Specifically, attackers can inject malicious SQL commands that execute remote scripts and create aliases to run system commands, effectively gaining control over the server environment without any authentication.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying unauthorized access attempts to the `/instance/detailPlus` API endpoint and monitoring for suspicious SQL injection payloads in the `customQuery` parameter.
Specifically, look for POST requests to `/instance/detailPlus` containing SQL keywords such as RUNSCRIPT, CALL, LINK, or SCRIPT within the `customQuery` parameter, which are indicators of attempted exploitation.
Network or application logs can be searched for these patterns. For example, using command-line tools like grep on server logs:
- grep -iE 'POST /instance/detailPlus' /path/to/access.log | grep -iE 'runscript|call|link|script'
- grep -iE 'customQuery=.*(runscript|call|link|script)' /path/to/application.log
Additionally, monitoring for unauthenticated access to this endpoint is important since the vulnerability allows pre-authentication exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-5736 allows unauthenticated remote code execution via SQL injection in PowerJob versions 5.1.0 to 5.1.2. This security flaw can lead to unauthorized access and manipulation of sensitive data, which may result in violations of data protection regulations such as GDPR and HIPAA.
Specifically, the lack of authentication and permission checks on a sensitive API endpoint combined with insufficient SQL injection filtering can enable attackers to execute arbitrary system commands remotely. Such unauthorized access and potential data breaches undermine the confidentiality, integrity, and availability of protected data, core principles required by compliance standards.
Therefore, organizations using affected versions of PowerJob without applying the recommended patches risk non-compliance with regulations that mandate strict access controls and protection against unauthorized data access or modification.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patches that add authentication and authorization checks to the `/instance/detailPlus` endpoint and extending the SQL injection blacklist.
- Add the `@ApiPermission` annotation to the `getInstanceDetailPlus` method to enforce permission checks, requiring appropriate roles and permissions.
- Extend the SQL injection blacklist for the `customQuery` parameter to include H2-specific dangerous keywords such as RUNSCRIPT, CALL, LINK, and SCRIPT.
Furthermore, consider restricting the allowed SQL grammar in `customQuery` to a safe subset, disallowing statement separators and SQL comment syntax to reduce injection risk.
If patches are not immediately available, restrict network access to the vulnerable endpoints and monitor for suspicious activity as a temporary measure.