CVE-2026-7699
Deferred Deferred - Pending Action
SQL Injection in Dromara MaxKey

Publication date: 2026-05-03

Last updated on: 2026-05-05

Assigner: VulDB

Description
A security flaw has been discovered in Dromara MaxKey up to 3.5.13. Affected by this issue is the function StrUtils.checkSqlInjection of the file StrUtils.java. Performing a manipulation of the argument filtersfields results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-03
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7699
EUVD
EUVD-2026-26837
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dromara maxkey to 3.5.13 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7699 is a critical SQL injection vulnerability in Dromara MaxKey, an open-source Identity and Access Management (IAM) and single sign-on (SSO) platform. The flaw exists in the function StrUtils.checkSqlInjection within StrUtils.java, which attempts to filter SQL injection attempts but is incomplete and easily bypassed.

Specifically, user-controlled parameters such as 'filters' and 'orgIdsList' are directly concatenated into SQL queries using MyBatis raw interpolation without proper sanitization or parameterization. This allows attackers, especially those with admin privileges, to inject arbitrary SQL commands remotely.

The vulnerability affects multiple mapper files and methods, enabling attacks like UNION-based data extraction, time-based blind SQL injection, and even writing files to the server if MySQL FILE permissions are enabled.

Impact Analysis

A successful exploit of this vulnerability can lead to full compromise of the MaxKey IAM system. Attackers can execute arbitrary SQL commands to extract sensitive data such as user password hashes, OAuth client secrets, and SAML certificates.

Additionally, attackers can perform identity forgery by signing SSO tokens for any user, enabling unauthorized access across all applications integrated with MaxKey.

The vulnerability also allows lateral movement within the enterprise environment, potentially compromising the entire authentication infrastructure and all connected systems.

Detection Guidance

This vulnerability can be detected by testing for SQL injection in the affected parameters, specifically the `filters` and `orgIdsList` parameters in the MaxKey IAM platform. Since the vulnerability allows SQL injection via these parameters, you can attempt to inject typical SQL payloads such as UNION-based queries, time-based blind SQL injection commands like `SLEEP(3)`, or comment-based truncation to observe abnormal behavior or delays.

For example, you can use curl or similar HTTP request tools to send crafted requests to the vulnerable endpoints, injecting SQL payloads into the `filters` parameter and observe the response or timing delays.

  • Use a curl command to test time-based blind SQL injection: curl -X POST 'http://<maxkey-server>/api/endpoint' -d 'filters=1 OR SLEEP(3)-- '
  • Check for UNION-based SQL injection by injecting payloads like: curl -X POST 'http://<maxkey-server>/api/endpoint' -d 'filters=1 UNION SELECT user(),database()-- '

Monitoring for unusual delays or error messages in responses can help confirm the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable MaxKey instance, especially limiting admin privileges that can exploit the `filters` and `orgIdsList` parameters.

Since the vulnerability arises from improper input validation and lack of parameterized queries, you should avoid exposing the affected endpoints to untrusted users and monitor for suspicious activity.

If possible, apply input filtering or web application firewall (WAF) rules to block SQL injection patterns such as UNION, SELECT, SLEEP, and comment characters in requests targeting these parameters.

Additionally, consider isolating or disabling the affected modules until a patch or fix is available, and review logs for any signs of exploitation.

Compliance Impact

This SQL injection vulnerability in MaxKey can lead to full compromise of the IAM system, including exfiltration of sensitive data such as user credentials, OAuth client secrets, and SAML certificates.

Such a compromise poses significant risks to compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data and mandate controls to prevent unauthorized access and data breaches.

A successful exploit could result in identity forgery and lateral movement across integrated applications, increasing the likelihood of data breaches and non-compliance with data protection requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7699. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart