CVE-2026-8851
Deferred Deferred - Pending Action
SQL Injection in SOGo 5.12.7 via ACL Management

Publication date: 2026-05-18

Last updated on: 2026-05-19

Assigner: VulnCheck

Description
SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQL code to write extracted data into the sogo_acl table and retrieve it through the /acls API, establishing an out-of-band data exfiltration channel.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-8851
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
inverse sogo 5.12.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users to perform SQL injection attacks to extract arbitrary data from the database, potentially leading to unauthorized access and exfiltration of sensitive information.

Such unauthorized data access and exfiltration can compromise the confidentiality and integrity of personal or sensitive data, which may result in non-compliance with data protection regulations such as GDPR and HIPAA.

Organizations using affected versions of SOGo could face regulatory risks if this vulnerability is exploited, as it undermines the security controls required to protect sensitive data.

Executive Summary

This vulnerability exists in SOGo version 5.12.7 and involves a SQL injection flaw in the Access Control List (ACL) management functionality.

Authenticated users can exploit this flaw by injecting malicious SQL subqueries through the uid parameter of the addUserInAcls endpoint.

This allows attackers to extract arbitrary data from the database by writing the extracted data into the sogo_acl table and then retrieving it via the /acls API, effectively creating an out-of-band data exfiltration channel.

Impact Analysis

The vulnerability can lead to unauthorized extraction of sensitive data from the database by authenticated users.

Attackers can exploit this to access confidential information that they should not have permission to see.

This can result in data breaches, loss of data confidentiality, and potential misuse of the extracted information.

Mitigation Strategies

To mitigate the SQL injection vulnerability in SOGo versions 5.12.7 and prior, you should upgrade to SOGo version 5.12.8 or later, where this issue has been fixed.

Detection Guidance

This vulnerability involves SQL injection through the uid parameter of the addUserInAcls endpoint in SOGo versions 5.12.7 and prior. Detection can focus on monitoring and analyzing requests to this endpoint for suspicious or malformed SQL injection payloads.

To detect exploitation attempts, you can inspect web server logs or use network monitoring tools to look for unusual HTTP requests targeting the addUserInAcls endpoint, especially those containing SQL syntax or subqueries in the uid parameter.

  • Use tools like curl or wget to manually test the endpoint for SQL injection by sending crafted requests with SQL payloads in the uid parameter.
  • Example curl command to test the endpoint (replace <URL> with your SOGo server address):
  • curl -X POST '<URL>/addUserInAcls' -d 'uid=1 OR 1=1 -- '
  • Monitor the sogo_acl table or use database query logs to detect unexpected data writes or reads that could indicate exploitation.

Note: Specific detection commands or scripts are not provided in the available resources, so these suggestions are based on the nature of the vulnerability and common SQL injection detection practices.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8851. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart