CVE-2026-49344
Deferred Deferred - Pending Action

Unauthenticated Query Execution in Mercator

Vulnerability report for CVE-2026-49344, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description

Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as JSON. The controller method `QueryController::execute()` does not enforce an authorization gate, unlike `store()` and `massDestroy()` in the same controller which are correctly protected. As a result, any authenticated account β€” including the read-only Auditor role β€” can query models beyond its intended scope, including the `User` model. Additionally, the `password` column, although declared `$hidden`, is not excluded from filter predicates, which allows it to be used in `LIKE` conditions. The `schema()` and `schemaModel()` endpoints of the same controller are similarly unguarded. The Query Engine is read-only; integrity and availability are not affected. Version 2025.05.19 patches the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-22
Generated
2026-07-11
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sourcentis mercator to 2026.05.09 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-49344 is a vulnerability in the Mercator software versions before 2026.05.09 that arises from improper authorization checks in the QueryController::execute() method. Unlike other methods in the same controller, this method does not enforce access controls, allowing any authenticated user, including those with read-only roles like Auditor, to query data models beyond their intended permissions, including sensitive models like the User model.

Additionally, the password field, although marked as hidden in the application, can still be used as a filter predicate in queries. Attackers can exploit this by using LIKE conditions on the password field and analyzing metadata to progressively reconstruct bcrypt password hashes, leading to credential information disclosure.

The vulnerability requires a valid Mercator account with at least Configure permission and direct network access to the application. The Query Engine is read-only, so system integrity and availability are not affected.

Compliance Impact

This vulnerability allows unauthorized access to personally identifiable information (PII) through improper authorization checks in the Mercator Query Executor. Since any authenticated user, including those with limited roles, can query sensitive user data such as password hashes, this poses a risk to confidentiality.

Exposure of PII and credential information can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate strict controls over access to sensitive personal data and require organizations to protect such data from unauthorized disclosure.

Therefore, this vulnerability undermines compliance with these standards by enabling unauthorized data disclosure, potentially resulting in regulatory penalties and loss of trust.

Impact Analysis

This vulnerability primarily impacts the confidentiality of your data. An attacker with a valid Mercator account can access sensitive information beyond their authorized scope, including personally identifiable information (PII) stored in the User model.

Specifically, attackers can exploit the ability to filter on the password field to reconstruct bcrypt password hashes, potentially compromising user credentials.

However, the vulnerability does not affect the integrity or availability of the system since the Query Engine is read-only.

Detection Guidance

This vulnerability can be detected by attempting to access the `/admin/queries/execute` endpoint of the Mercator application with an authenticated account, including those with read-only roles such as Auditor.

A practical detection method is to send authorized JSON DSL queries that include filters on sensitive fields like the `password` column and observe if the system returns data beyond the intended scope.

For example, you can use curl commands to test the endpoint:

  • curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer <token>" -d '{"from":"User","select":["id","password"],"filters":[{"field":"password","operator":"LIKE","value":"%"}]}' https://<mercator-host>/admin/queries/execute

If the query returns user data including password hashes, it indicates the vulnerability is present.

Mitigation Strategies

The immediate mitigation step is to upgrade Mercator to version 2025.05.19 or later, where the issue has been patched by enforcing proper authorization checks on the `QueryController::execute()` method.

Until the upgrade can be applied, restrict access to the `/admin/queries/execute` endpoint to only trusted users with appropriate permissions and consider network-level controls to limit access.

Additionally, review and tighten role permissions to ensure that read-only roles like Auditor cannot perform queries that expose sensitive data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49344. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart