Executive Summary

CVE-2026-41422 is a SQL injection vulnerability in the Daptin headless CMS, specifically affecting versions prior to 0.11.4. The vulnerability exists in the /aggregate/:typename endpoint, where the column and group query parameters are passed directly to the goqu.L() function without any validation.

This lack of validation allows authenticated users with any valid session to inject arbitrary SQL expressions, bypassing all parameterization safeguards.

As a result, attackers can execute malicious SQL queries, potentially extracting sensitive data, disclosing database internals, or exfiltrating data across tables.

The vulnerability was confirmed by extracting user email addresses through a crafted query. It is classified as CWE-89 (SQL Injection) and has a high severity CVSS score of 8.3.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized data access and data exfiltration.

• Attackers can extract sensitive information such as user email addresses or other confidential data stored in the database.
• It can lead to disclosure of internal database structure and data from multiple tables via crafted subqueries.
• The integrity and availability of the system can also be affected, as the vulnerability allows injection of arbitrary SQL expressions.

Because the attack requires only an authenticated session and no user interaction, it is relatively easy to exploit.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and analyzing requests to the `/aggregate/:typename` endpoint of the Daptin application, specifically looking for unusual or crafted SQL expressions in the `column` and `group` query parameters.

Since the vulnerability allows authenticated users to inject arbitrary SQL, detection can involve reviewing logs for suspicious query parameters that contain SQL keywords or subqueries.

Commands to detect exploitation attempts might include searching web server or application logs for suspicious patterns. For example, using grep to find SQL keywords in query parameters:

• grep -iE 'column=.*(select|union|insert|update|delete|drop|--|;)' /path/to/daptin/logs/access.log
• grep -iE 'group=.*(select|union|insert|update|delete|drop|--|;)' /path/to/daptin/logs/access.log

Additionally, monitoring for unexpected database errors or unusual query execution patterns in database logs may help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to upgrade Daptin to version 0.11.4 or later, where the issue has been fixed.

The fix replaces unsafe raw SQL literal usage with structural expression parsing, schema-based column validation, allowlist-based function validation, safe constructors, and scope enforcement.

No configuration changes are required after upgrading; the update ensures only safe aggregation forms are allowed.

Until the upgrade can be applied, consider restricting access to the `/aggregate/:typename` endpoint to trusted users only and monitoring for suspicious activity as a temporary mitigation.

Useful 0 Not Useful 0

Compliance Impact

The SQL injection vulnerability in Daptin prior to version 0.11.4 allows authenticated users to inject arbitrary SQL expressions, potentially extracting sensitive data such as user email addresses and other database internals.

This unauthorized data access and exfiltration risk can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information to prevent unauthorized disclosure.

Therefore, exploitation of this vulnerability could compromise confidentiality and integrity of protected data, resulting in non-compliance with these common standards and regulations.

Useful 0 Not Useful 0