CVE-2026-41422
SQL Injection in Daptin CMS Prior to 0.11.4
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| daptin | daptin | to 0.11.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in Daptin prior to version 0.11.4 allows authenticated users to inject arbitrary SQL expressions, potentially extracting sensitive data such as user email addresses and other database internals.
This unauthorized data access and exfiltration risk can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information to prevent unauthorized disclosure.
Therefore, exploitation of this vulnerability could compromise confidentiality and integrity of protected data, resulting in non-compliance with these common standards and regulations.
Can you explain this vulnerability to me?
CVE-2026-41422 is a SQL injection vulnerability in the Daptin headless CMS, specifically affecting versions prior to 0.11.4. The vulnerability exists in the /aggregate/:typename endpoint, where the column and group query parameters are passed directly to the goqu.L() function without any validation.
This lack of validation allows authenticated users with any valid session to inject arbitrary SQL expressions, bypassing all parameterization safeguards.
As a result, attackers can execute malicious SQL queries, potentially extracting sensitive data, disclosing database internals, or exfiltrating data across tables.
The vulnerability was confirmed by extracting user email addresses through a crafted query. It is classified as CWE-89 (SQL Injection) and has a high severity CVSS score of 8.3.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized data access and data exfiltration.
- Attackers can extract sensitive information such as user email addresses or other confidential data stored in the database.
- It can lead to disclosure of internal database structure and data from multiple tables via crafted subqueries.
- The integrity and availability of the system can also be affected, as the vulnerability allows injection of arbitrary SQL expressions.
Because the attack requires only an authenticated session and no user interaction, it is relatively easy to exploit.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and analyzing requests to the `/aggregate/:typename` endpoint of the Daptin application, specifically looking for unusual or crafted SQL expressions in the `column` and `group` query parameters.
Since the vulnerability allows authenticated users to inject arbitrary SQL, detection can involve reviewing logs for suspicious query parameters that contain SQL keywords or subqueries.
Commands to detect exploitation attempts might include searching web server or application logs for suspicious patterns. For example, using grep to find SQL keywords in query parameters:
- grep -iE 'column=.*(select|union|insert|update|delete|drop|--|;)' /path/to/daptin/logs/access.log
- grep -iE 'group=.*(select|union|insert|update|delete|drop|--|;)' /path/to/daptin/logs/access.log
Additionally, monitoring for unexpected database errors or unusual query execution patterns in database logs may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended step to mitigate this vulnerability is to upgrade Daptin to version 0.11.4 or later, where the issue has been fixed.
The fix replaces unsafe raw SQL literal usage with structural expression parsing, schema-based column validation, allowlist-based function validation, safe constructors, and scope enforcement.
No configuration changes are required after upgrading; the update ensures only safe aggregation forms are allowed.
Until the upgrade can be applied, consider restricting access to the `/aggregate/:typename` endpoint to trusted users only and monitoring for suspicious activity as a temporary mitigation.