CVE-2026-44349
Deferred Deferred - Pending Action
SQL Injection in Daptin CMS via Fuzzy Search

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resource_findallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.L(fmt.Sprintf("LOWER(%s) LIKE ?", prefix+col)) raw SQL with no column whitelist check. The entry point is GET /api/<entity> with operator=fuzzy (or fuzzy_any, fuzzy_all). Any authenticated user β€” including one who self-registered with no admin involvement β€” can read the entire database. This issue has been patched in version 0.11.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-05-07
AI Q&A
2026-05-07
EPSS Evaluated
N/A
NVD
CVE-2026-44349
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
daptin daptin to 0.11.5 (exc)
daptin daptin 0.11.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-44349 is a SQL injection vulnerability in the fuzzy search API of the Daptin headless CMS software. The vulnerability occurs because user-supplied column names are directly inserted into raw SQL queries without proper validation or a whitelist check. This allows an authenticated user, including those who self-register without admin approval, to exploit the fuzzy search endpoint to perform boolean-blind SQL injection attacks.

Specifically, the processFuzzySearch function splits the user-supplied column parameter by commas and interpolates each segment into SQL queries without verifying if the column names are valid. This flaw affects all supported database backends such as SQLite, PostgreSQL, MySQL, and MSSQL. The vulnerability has been fixed in version 0.11.5 by adding a whitelist check to validate column names before they are used in queries.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows any authenticated user, including those who self-register, to read the entire database through a SQL injection attack. This can lead to unauthorized access to sensitive data such as user emails and bcrypt password hashes.

Such unauthorized data exposure can result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Therefore, the vulnerability poses a significant risk to compliance by potentially enabling data breaches and unauthorized data disclosure.


How can this vulnerability impact me? :

This vulnerability allows any authenticated user, including those who self-register without administrative involvement, to read the entire database. Attackers can exploit the fuzzy search API to extract sensitive data such as user emails and bcrypt password hashes.

The attack can be performed at a rate of about 7 HTTP requests per character extracted, enabling full database extraction through boolean-blind SQL injection techniques. This can lead to significant data breaches and unauthorized data disclosure.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for HTTP requests to the /api/<entity> endpoint that include the operator parameters fuzzy, fuzzy_any, or fuzzy_all.

Specifically, crafted requests that include user-supplied column names in the query parameter may indicate attempts to exploit the SQL injection.

A practical detection method is to analyze web server logs or network traffic for suspicious GET requests matching the pattern: /api/<entity>?query=[{"operator":"fuzzy",...}].

Additionally, using tools like grep or similar command-line utilities to search logs for these patterns can help identify exploitation attempts.

  • grep -i 'operator=fuzzy' /path/to/access.log
  • grep -i 'operator=fuzzy_any' /path/to/access.log
  • grep -i 'operator=fuzzy_all' /path/to/access.log

Further, monitoring for unusual database read activity or unexpected queries involving column names passed via these endpoints may also indicate exploitation.


What immediate steps should I take to mitigate this vulnerability?

The immediate and recommended mitigation step is to upgrade Daptin to version 0.11.5 or later, where the vulnerability has been patched.

Version 0.11.5 includes a whitelist check that validates column names against the table schema before they are used in SQL queries, preventing this SQL injection.

Until the upgrade can be applied, consider restricting access to the vulnerable API endpoints to trusted users only, or disabling the fuzzy search feature if possible.

Monitoring and alerting on suspicious requests to the /api/<entity> endpoint with fuzzy operators can also help in early detection and response.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart