CVE-2026-8851
SQL Injection in SOGo 5.12.7 via ACL Management
Publication date: 2026-05-18
Last updated on: 2026-05-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inverse | sogo | 5.12.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in SOGo version 5.12.7 and involves a SQL injection flaw in the Access Control List (ACL) management functionality.
Authenticated users can exploit this flaw by injecting malicious SQL subqueries through the uid parameter of the addUserInAcls endpoint.
This allows attackers to extract arbitrary data from the database by writing the extracted data into the sogo_acl table and then retrieving it via the /acls API, effectively creating an out-of-band data exfiltration channel.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized extraction of sensitive data from the database by authenticated users.
Attackers can exploit this to access confidential information that they should not have permission to see.
This can result in data breaches, loss of data confidentiality, and potential misuse of the extracted information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users to perform SQL injection attacks to extract arbitrary data from the database, potentially leading to unauthorized access and exfiltration of sensitive information.
Such unauthorized data access and exfiltration can compromise the confidentiality and integrity of personal or sensitive data, which may result in non-compliance with data protection regulations such as GDPR and HIPAA.
Organizations using affected versions of SOGo could face regulatory risks if this vulnerability is exploited, as it undermines the security controls required to protect sensitive data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the SQL injection vulnerability in SOGo versions 5.12.7 and prior, you should upgrade to SOGo version 5.12.8 or later, where this issue has been fixed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SQL injection through the uid parameter of the addUserInAcls endpoint in SOGo versions 5.12.7 and prior. Detection can focus on monitoring and analyzing requests to this endpoint for suspicious or malformed SQL injection payloads.
To detect exploitation attempts, you can inspect web server logs or use network monitoring tools to look for unusual HTTP requests targeting the addUserInAcls endpoint, especially those containing SQL syntax or subqueries in the uid parameter.
- Use tools like curl or wget to manually test the endpoint for SQL injection by sending crafted requests with SQL payloads in the uid parameter.
- Example curl command to test the endpoint (replace <URL> with your SOGo server address):
- curl -X POST '<URL>/addUserInAcls' -d 'uid=1 OR 1=1 -- '
- Monitor the sogo_acl table or use database query logs to detect unexpected data writes or reads that could indicate exploitation.
Note: Specific detection commands or scripts are not provided in the available resources, so these suggestions are based on the nature of the vulnerability and common SQL injection detection practices.