CVE-2026-44521
Authenticated SQL Injection in elFinder MySQL Volume Driver
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elnfiner | elfinder | 2.1.68 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated SQL injection in the elFinder MySQL volume driver (elFinderVolumeMySQL) affecting versions 2.1.67 and earlier. It allows any logged-in user, even those with read-only access, to inject malicious SQL commands by crafting a special target file hash. This happens because the file hashes are decoded without proper validation before being used in MySQL queries.
The vulnerability only affects installations configured to use the MySQL volume driver and not the default LocalFileSystem driver. Exploiting this flaw can lead to unauthorized access to data or denial of service conditions.
How can this vulnerability impact me? :
Exploiting this vulnerability can result in unauthorized disclosure of sensitive data and denial of service on the affected system. Since any logged-in user, including those with read-only permissions, can perform the attack, it increases the risk of data exposure or system disruption.
The impact depends on the privileges of the MySQL account used by the volume driver, potentially allowing attackers to access or manipulate data beyond their intended permissions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your elFinder installation is using the MySQL volume driver (elFinderVolumeMySQL) and if the version is 2.1.67 or earlier.
Since the vulnerability is an authenticated SQL injection via crafted target file hashes, monitoring for unusual or malformed file hash inputs in logs or application requests may help detect exploitation attempts.
Specific commands are not provided in the resources, but general approaches include:
- Checking the elFinder version by reviewing the installed package or querying the application.
- Reviewing web server or application logs for suspicious requests containing unusual file hash parameters.
- Using SQL query logging on the MySQL server to detect unexpected or malformed queries originating from elFinder.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade elFinder to version 2.1.68 or later, where the SQL injection vulnerability in the MySQL volume driver is fixed.
If upgrading immediately is not possible, consider disabling the MySQL volume driver and using the default LocalFileSystem driver, as the vulnerability only affects the MySQL volume driver.
Additionally, restrict access to elFinder to trusted authenticated users only, and monitor for suspicious activity related to file hash inputs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The authenticated SQL injection vulnerability in elFinder's MySQL volume driver can lead to unauthorized data disclosure and denial of service. Such unauthorized data exposure may result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of sensitive personal and health information.
Because the vulnerability allows attackers to access or disrupt data without proper authorization, organizations using affected versions of elFinder with the MySQL volume driver may face risks related to confidentiality, integrity, and availability of data, which are core principles in many compliance frameworks.
Therefore, failure to patch this vulnerability could lead to violations of regulatory requirements concerning data security and privacy.