CVE-2026-12206
Received Received - Intake
SQL Injection in Grit42 Grit

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulDB

Description
A vulnerability was identified in Grit42 Grit up to 0.11.0. This issue affects the function Grit::Assays::DataTableEntity of the file modules/assays/backend/app/models/grit/assays/data_table_entity.rb. The manipulation leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-12206
EUVD
EUVD-2026-36680
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
grit42 grit From 0.8.0 (inc) to 0.11.0 (inc)
grit42 grit to 0.11.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12206 is a SQL injection vulnerability found in the grit42 Data Table Entity Endpoint, specifically in versions 0.8.0 through 0.11.0 of the grit-assays module.

The flaw exists in the Grit::Assays::DataTableEntity model where user input from params[:data_table_id] is directly inserted into a SQL JOIN clause without proper sanitization.

Although the input is coerced to an integer when calling DataTable.find(params[:data_table_id]), the raw unsanitized value is later used in the JOIN clause, enabling attackers to inject malicious SQL.

This allows authenticated attackers, even those with zero roles, to perform boolean-based blind SQL injection attacks to extract sensitive data such as administrator tokens.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access and data exfiltration.

  • Attackers can extract sensitive information such as hashed passwords, API tokens, password-reset tokens, activation tokens, and second-factor authentication tokens.
  • In multi-tenant environments, a single low-privilege account can exfiltrate all research data and impersonate administrators.
  • Attackers can achieve full account takeover by replaying stolen administrator tokens.
  • In PostgreSQL containers running with SUPERUSER privileges, the vulnerability can also allow arbitrary file reads.
Detection Guidance

This vulnerability can be detected by testing the grit42 Data Table Entity Endpoint for SQL injection flaws, specifically by targeting the parameter `data_table_id` in requests to the affected endpoint.

Since the vulnerability allows boolean-based blind SQL injection, detection can involve sending crafted requests with SQL payloads in the `data_table_id` parameter and observing the responses for anomalies or differences indicating injection success.

  • Use curl or similar tools to send requests with SQL injection payloads in the `data_table_id` parameter, for example: `curl -X GET 'https://target/grit42/assays/data_table_entity?data_table_id=1 OR 1=1'`
  • Automated SQL injection detection tools or scanners can be used against the endpoint to identify injection points.
  • Monitor logs for unusual or malformed SQL queries or errors related to the `data_table_id` parameter.
Mitigation Strategies

The immediate mitigation step is to ensure that the `data_table_id` parameter is properly sanitized before being used in SQL queries.

Specifically, convert the `data_table_id` parameter to an integer before interpolating it into the JOIN clause, as this aligns with the existing `DataTable.find()` contract and prevents injection.

Restrict access to the vulnerable endpoint to only trusted and authenticated users with appropriate roles, if possible.

Monitor for any exploitation attempts and apply any available patches or updates from the vendor once they become available.

Compliance Impact

This SQL injection vulnerability in grit42 allows attackers to extract sensitive data such as hashed passwords, API tokens, password-reset tokens, activation tokens, and second-factor tokens. In multi-tenant environments, it enables exfiltration of all research data and impersonation of administrators, leading to unauthorized access and potential data breaches.

Such unauthorized access and data exposure can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive data to prevent breaches and ensure confidentiality, integrity, and availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12206. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart