CVE-2026-48114

Received Received - Intake

BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the /harvesterRegistration endpoint. HarvesterRegistration.dbInsert() builds an INSERT against HARVEST_SITE_SCHEDULE via string concatenation, using a quoteString() helper that performs raw single-quote wrapping without escaping. Three request parameters reach the sink: unit, contactEmail, and documentListURL. The servlet does not verify a real LDAP identity. Allowing the vulnerable insert to proceed. Since the PostgreSQL backend permits stacked queries via Statement.executeUpdate(), this vulnerability allows full read/write/execute access in the Metacat database context. The vulnerability was remediated in Metacat 3.0.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-15

Last Modified

2026-06-15

Generated

2026-06-16

AI Q&A

2026-06-15

EPSS Evaluated

N/A

NVD

CVE-2026-48114

EUVD

EUVD-2026-36795

Affected Vendors & Products

Vendor	Product	Version / Range
nceas	metacat	From 2.0.0 (inc)
nceas	metacat	2.19.1
nceas	metacat	3.0.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-287	When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-287

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

Executive Summary

This vulnerability is an unauthenticated SQL injection in Metacat versions 2.0.0 and above, specifically in the /harvesterRegistration endpoint.

The issue arises because the HarvesterRegistration.dbInsert() method builds an SQL INSERT query using string concatenation without properly escaping input, allowing attackers to inject malicious SQL code.

Three request parameters—unit, contactEmail, and documentListURL—are vulnerable to this attack.

Since the servlet does not verify LDAP identities, attackers can exploit this flaw without authentication to execute arbitrary SQL commands.

This grants full read, write, and execute access to the Metacat database, potentially compromising the entire data repository.

A second-order SQL injection also exists where an attacker-controlled documentListURL is fetched and parsed unsafely, further increasing risk.

The vulnerability was fixed in Metacat 3.0.0 by removing the vulnerable harvesterClient package.

Impact Analysis

This vulnerability can have severe impacts because it allows unauthenticated attackers to execute arbitrary SQL commands on the Metacat database.

Full read access to sensitive data stored in the database.
Full write access, allowing attackers to modify or delete data.
Execution of arbitrary SQL commands, potentially leading to complete compromise of the database.

Because no authentication is required and no user interaction is needed, the vulnerability is easy to exploit remotely.

This can lead to data breaches, data loss, or disruption of services relying on the Metacat data repository.

Detection Guidance

The vulnerability exists in the /harvesterRegistration endpoint of Metacat versions 2.x through 2.19.1, where unauthenticated SQL injection is possible via the parameters unit, contactEmail, and documentListURL.

Detection can focus on monitoring HTTP requests to the /harvesterRegistration endpoint for suspicious or malformed input in these parameters that could indicate SQL injection attempts.

Network or system administrators can use web server logs or network traffic inspection tools to identify unusual POST requests targeting /harvesterRegistration with SQL syntax or payloads.

Specific commands are not provided in the resources, but general approaches include using tools like curl or wget to test the endpoint manually, or employing web vulnerability scanners configured to test for SQL injection on these parameters.

Mitigation Strategies

The primary mitigation is to upgrade Metacat to version 3.0.0 or later, preferably 3.4.0 or above, where the vulnerability has been fixed by removing the vulnerable harvesterClient package.

If upgrading is not immediately possible, a workaround is to disable the vulnerable 1.x API servlets, including the /harvesterRegistration endpoint, by editing the Apache Tomcat web.xml configuration file to restrict or block access.

Most deployments have already upgraded to 3.x, which minimizes exposure, so verifying your version and upgrading is critical.

Hi! I’m here to help you understand CVE-2026-48114. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-48114

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart