CVE-2026-7699
SQL Injection in Dromara MaxKey
Publication date: 2026-05-03
Last updated on: 2026-05-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dromara | maxkey | to 3.5.13 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7699 is a critical SQL injection vulnerability in Dromara MaxKey, an open-source Identity and Access Management (IAM) and single sign-on (SSO) platform. The flaw exists in the function StrUtils.checkSqlInjection within StrUtils.java, which attempts to filter SQL injection attempts but is incomplete and easily bypassed.
Specifically, user-controlled parameters such as 'filters' and 'orgIdsList' are directly concatenated into SQL queries using MyBatis raw interpolation without proper sanitization or parameterization. This allows attackers, especially those with admin privileges, to inject arbitrary SQL commands remotely.
The vulnerability affects multiple mapper files and methods, enabling attacks like UNION-based data extraction, time-based blind SQL injection, and even writing files to the server if MySQL FILE permissions are enabled.
How can this vulnerability impact me? :
A successful exploit of this vulnerability can lead to full compromise of the MaxKey IAM system. Attackers can execute arbitrary SQL commands to extract sensitive data such as user password hashes, OAuth client secrets, and SAML certificates.
Additionally, attackers can perform identity forgery by signing SSO tokens for any user, enabling unauthorized access across all applications integrated with MaxKey.
The vulnerability also allows lateral movement within the enterprise environment, potentially compromising the entire authentication infrastructure and all connected systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing for SQL injection in the affected parameters, specifically the `filters` and `orgIdsList` parameters in the MaxKey IAM platform. Since the vulnerability allows SQL injection via these parameters, you can attempt to inject typical SQL payloads such as UNION-based queries, time-based blind SQL injection commands like `SLEEP(3)`, or comment-based truncation to observe abnormal behavior or delays.
For example, you can use curl or similar HTTP request tools to send crafted requests to the vulnerable endpoints, injecting SQL payloads into the `filters` parameter and observe the response or timing delays.
- Use a curl command to test time-based blind SQL injection: curl -X POST 'http://<maxkey-server>/api/endpoint' -d 'filters=1 OR SLEEP(3)-- '
- Check for UNION-based SQL injection by injecting payloads like: curl -X POST 'http://<maxkey-server>/api/endpoint' -d 'filters=1 UNION SELECT user(),database()-- '
Monitoring for unusual delays or error messages in responses can help confirm the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable MaxKey instance, especially limiting admin privileges that can exploit the `filters` and `orgIdsList` parameters.
Since the vulnerability arises from improper input validation and lack of parameterized queries, you should avoid exposing the affected endpoints to untrusted users and monitor for suspicious activity.
If possible, apply input filtering or web application firewall (WAF) rules to block SQL injection patterns such as UNION, SELECT, SLEEP, and comment characters in requests targeting these parameters.
Additionally, consider isolating or disabling the affected modules until a patch or fix is available, and review logs for any signs of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This SQL injection vulnerability in MaxKey can lead to full compromise of the IAM system, including exfiltration of sensitive data such as user credentials, OAuth client secrets, and SAML certificates.
Such a compromise poses significant risks to compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data and mandate controls to prevent unauthorized access and data breaches.
A successful exploit could result in identity forgery and lateral movement across integrated applications, increasing the likelihood of data breaches and non-compliance with data protection requirements.