CVE-2026-48114
Deferred Deferred - Pending Action

Unauthenticated SQL Injection in Metacat Data Repository

Vulnerability report for CVE-2026-48114, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the /harvesterRegistration endpoint. HarvesterRegistration.dbInsert() builds an INSERT against HARVEST_SITE_SCHEDULE via string concatenation, using a quoteString() helper that performs raw single-quote wrapping without escaping. Three request parameters reach the sink: unit, contactEmail, and documentListURL. The servlet does not verify a real LDAP identity. Allowing the vulnerable insert to proceed. Since the PostgreSQL backend permits stacked queries via Statement.executeUpdate(), this vulnerability allows full read/write/execute access in the Metacat database context. The vulnerability was remediated in Metacat 3.0.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-07-06
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
nceas metacat From 2.0.0 (inc)
nceas metacat 2.19.1
nceas metacat 3.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an unauthenticated SQL injection in Metacat versions 2.0.0 and above, specifically in the /harvesterRegistration endpoint.

The issue arises because the HarvesterRegistration.dbInsert() method builds an SQL INSERT query using string concatenation without properly escaping input, allowing attackers to inject malicious SQL code.

Three request parametersβ€”unit, contactEmail, and documentListURLβ€”are vulnerable to this attack.

Since the servlet does not verify LDAP identities, attackers can exploit this flaw without authentication to execute arbitrary SQL commands.

This grants full read, write, and execute access to the Metacat database, potentially compromising the entire data repository.

A second-order SQL injection also exists where an attacker-controlled documentListURL is fetched and parsed unsafely, further increasing risk.

The vulnerability was fixed in Metacat 3.0.0 by removing the vulnerable harvesterClient package.

Impact Analysis

This vulnerability can have severe impacts because it allows unauthenticated attackers to execute arbitrary SQL commands on the Metacat database.

  • Full read access to sensitive data stored in the database.
  • Full write access, allowing attackers to modify or delete data.
  • Execution of arbitrary SQL commands, potentially leading to complete compromise of the database.

Because no authentication is required and no user interaction is needed, the vulnerability is easy to exploit remotely.

This can lead to data breaches, data loss, or disruption of services relying on the Metacat data repository.

Detection Guidance

The vulnerability exists in the /harvesterRegistration endpoint of Metacat versions 2.x through 2.19.1, where unauthenticated SQL injection is possible via the parameters unit, contactEmail, and documentListURL.

Detection can focus on monitoring HTTP requests to the /harvesterRegistration endpoint for suspicious or malformed input in these parameters that could indicate SQL injection attempts.

Network or system administrators can use web server logs or network traffic inspection tools to identify unusual POST requests targeting /harvesterRegistration with SQL syntax or payloads.

Specific commands are not provided in the resources, but general approaches include using tools like curl or wget to test the endpoint manually, or employing web vulnerability scanners configured to test for SQL injection on these parameters.

Mitigation Strategies

The primary mitigation is to upgrade Metacat to version 3.0.0 or later, preferably 3.4.0 or above, where the vulnerability has been fixed by removing the vulnerable harvesterClient package.

If upgrading is not immediately possible, a workaround is to disable the vulnerable 1.x API servlets, including the /harvesterRegistration endpoint, by editing the Apache Tomcat web.xml configuration file to restrict or block access.

Most deployments have already upgraded to 3.x, which minimizes exposure, so verifying your version and upgrading is critical.

Compliance Impact

The vulnerability allows unauthenticated attackers to perform SQL injection attacks on the Metacat database, granting full read, write, and execute access. This can lead to unauthorized access, modification, or deletion of sensitive data stored in the system.

Such unauthorized access and potential data breaches can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and availability.

Specifically, the exposure of sensitive personal or health data through this vulnerability could result in violations of these regulations, leading to legal and financial consequences for affected organizations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48114. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart