CVE-2026-6093
SQL Injection in Corteza Compose Records Filter
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: Fluid Attacks
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| corteza | corteza | 2024.9.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6093 is a SQL injection vulnerability in the Corteza platform version 2024.9.8, specifically affecting its Microsoft SQL Server backend when filtering Compose records by the meta field.
The issue arises from improper escaping of single quotes in SQL queries within the code, where the implementation uses strings.ReplaceAll(path, "'", "\\'") instead of the correct method of doubling single quotes as required by SQL standards.
Additionally, the vulnerability is worsened by the ParseMeta JSON path skipping validation of certain keys, allowing an attacker to exploit this flaw.
How can this vulnerability impact me? :
This SQL injection vulnerability can allow an attacker to manipulate database queries, potentially leading to unauthorized data access or modification.
Since the vulnerability affects filtering of Compose records by meta fields, an attacker might exploit it to extract sensitive information or alter data within the Corteza platform.
As of the disclosure date, no patch is available, which means systems running the affected version remain at risk until a fix is applied.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-6093 involves identifying exploitation attempts of the SQL injection vulnerability in Corteza version 2024.9.8, specifically targeting the Microsoft SQL Server backend when filtering Compose records by the meta field.
Since the vulnerability arises from improper escaping of single quotes in SQL queries, monitoring for unusual or malformed SQL queries containing single quotes or attempts to inject SQL code in the meta field filters could help detect exploitation.
No specific detection commands are provided in the available resources. However, general detection methods could include:
- Using network monitoring tools to capture and analyze SQL queries sent to the MSSQL backend for suspicious patterns.
- Reviewing application logs for errors or anomalies related to Compose record filtering or meta field processing.
- Employing SQL Server auditing features to log and review queries that include suspicious string patterns or injection attempts.
Since no explicit commands or scripts are provided, users are advised to consult official security advisories or the Corteza project's SECURITY.md for potential detection tools or updates.
What immediate steps should I take to mitigate this vulnerability?
As of the public disclosure date, there is no available patch for CVE-2026-6093.
Immediate mitigation steps include:
- Avoid using or exposing the vulnerable filtering functionality on the Compose records meta field in Corteza version 2024.9.8.
- Restrict access to the Corteza application and its MSSQL backend to trusted users only, minimizing the risk of exploitation.
- Monitor for suspicious activity or exploitation attempts as described in detection recommendations.
- Follow the Corteza project and Fluid Attacks advisories for updates or patches addressing this vulnerability.