CVE-2026-42425

Deferred Deferred - Pending Action

OpenKM 6.3.12 SQL Injection via DatabaseQuery

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: VulnCheck

Description

OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the DatabaseQuery interface. Attackers can submit malicious SQL queries through the qs parameter to the /admin/DatabaseQuery endpoint to extract sensitive data including usernames and password hashes from the OKM_USER table, modify permissions, or delete database records.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-26

Last Modified

2026-05-26

Generated

2026-06-15

AI Q&A

2026-05-26

EPSS Evaluated

2026-06-14

NVD

CVE-2026-42425

EUVD

EUVD-2026-31834

Affected Vendors & Products

Vendor	Product	Version / Range
openkm	openkm	6.3.12
openkm	openkm	to 7.1.47 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-42425 is a high-severity SQL injection vulnerability found in OpenKM versions 6.3.12 and below, including Professional Edition up to 7.1.47.

This vulnerability allows authenticated administrative users to execute arbitrary SQL commands against the application database through the DatabaseQuery interface.

Attackers exploit this by submitting malicious SQL queries via the 'qs' parameter to the '/admin/DatabaseQuery' endpoint.

The root cause is improper neutralization of special elements in SQL commands, which is a classic SQL injection issue (CWE-89).

Compliance Impact

The vulnerability in OpenKM 6.3.12 allows authenticated administrative users to execute arbitrary SQL commands, potentially extracting sensitive data such as usernames and password hashes, modifying permissions, or deleting records. This exposure of sensitive data and unauthorized modification capabilities can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Specifically, the ability to extract sensitive user data and alter permissions undermines data confidentiality and integrity, core principles in these regulations. Organizations using affected OpenKM versions may face increased risk of data breaches, unauthorized data access, and potential regulatory penalties if this vulnerability is exploited.

Impact Analysis

This vulnerability can have serious impacts including unauthorized extraction of sensitive data such as usernames and password hashes from the OKM_USER table.

Attackers can also modify user permissions or delete critical database records, potentially disrupting application functionality or escalating privileges.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious SQL queries submitted to the /admin/DatabaseQuery endpoint, specifically those using the qs parameter to execute arbitrary SQL commands.

Proof-of-concept tools and detection templates are available to help identify exploitation attempts of this vulnerability.

Commands to detect this might include inspecting web server logs or using network monitoring tools to filter HTTP requests targeting /admin/DatabaseQuery with qs parameters containing SQL statements.

Mitigation Strategies

Immediate mitigation steps include restricting access to the /admin/DatabaseQuery endpoint to only trusted administrative users and monitoring for unusual SQL queries.

Since the vulnerability allows authenticated administrative users to execute arbitrary SQL, ensure that administrative credentials are tightly controlled and consider applying any available patches or updates from OpenKM.

Hi! I’m here to help you understand CVE-2026-42425. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-42425

OpenKM 6.3.12 SQL Injection via DatabaseQuery

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart