CVE-2026-44521
Deferred Deferred - Pending Action
Authenticated SQL Injection in elFinder MySQL Volume Driver

Publication date: 2026-05-27

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.68, an authenticated SQL injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized data disclosure and denial of service. This vulnerability only affects installations configured to use the MySQL volume driver. This vulnerability is fixed in 2.1.68.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-01
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44521
EUVD
EUVD-2026-32607
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elnfiner elfinder 2.1.68
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The authenticated SQL injection vulnerability in elFinder's MySQL volume driver can lead to unauthorized data disclosure and denial of service. Such unauthorized data exposure may result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of sensitive personal and health information.

Because the vulnerability allows attackers to access or disrupt data without proper authorization, organizations using affected versions of elFinder with the MySQL volume driver may face risks related to confidentiality, integrity, and availability of data, which are core principles in many compliance frameworks.

Therefore, failure to patch this vulnerability could lead to violations of regulatory requirements concerning data security and privacy.

Executive Summary

This vulnerability is an authenticated SQL injection in the elFinder MySQL volume driver (elFinderVolumeMySQL) affecting versions 2.1.67 and earlier. It allows any logged-in user, even those with read-only access, to inject malicious SQL commands by crafting a special target file hash. This happens because the file hashes are decoded without proper validation before being used in MySQL queries.

The vulnerability only affects installations configured to use the MySQL volume driver and not the default LocalFileSystem driver. Exploiting this flaw can lead to unauthorized access to data or denial of service conditions.

Impact Analysis

Exploiting this vulnerability can result in unauthorized disclosure of sensitive data and denial of service on the affected system. Since any logged-in user, including those with read-only permissions, can perform the attack, it increases the risk of data exposure or system disruption.

The impact depends on the privileges of the MySQL account used by the volume driver, potentially allowing attackers to access or manipulate data beyond their intended permissions.

Detection Guidance

Detection of this vulnerability involves identifying if your elFinder installation is using the MySQL volume driver (elFinderVolumeMySQL) and if the version is 2.1.67 or earlier.

Since the vulnerability is an authenticated SQL injection via crafted target file hashes, monitoring for unusual or malformed file hash inputs in logs or application requests may help detect exploitation attempts.

Specific commands are not provided in the resources, but general approaches include:

  • Checking the elFinder version by reviewing the installed package or querying the application.
  • Reviewing web server or application logs for suspicious requests containing unusual file hash parameters.
  • Using SQL query logging on the MySQL server to detect unexpected or malformed queries originating from elFinder.
Mitigation Strategies

The immediate mitigation step is to upgrade elFinder to version 2.1.68 or later, where the SQL injection vulnerability in the MySQL volume driver is fixed.

If upgrading immediately is not possible, consider disabling the MySQL volume driver and using the default LocalFileSystem driver, as the vulnerability only affects the MySQL volume driver.

Additionally, restrict access to elFinder to trusted authenticated users only, and monitor for suspicious activity related to file hash inputs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44521. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart