CVE-2026-50636
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VulnCheck

Description
The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or input validation. A remote, authenticated attacker holding the tokens/update permission on a survey can inject a crafted array element to perform SQL injection. Because LimeSurvey configures its PDO connection with emulated prepared statements (emulatePrepare = true) and does not disable MySQL multi-statements, the injection supports stacked queries: the attacker can append arbitrary additional statements (INSERT/UPDATE/DELETE/DROP/CREATE) after the original SELECT. This permits both arbitrary read of any data in the database, such as administrator bcrypt password hashes (lime_users), survey response PII, session records, and global settings, all recoverable via a SLEEP() time-based blind oracle, and arbitrary write/destruction of that data, including directly overwriting the administrator password hash for immediate account takeover or dropping/truncating tables. Reads and writes extend to any schema the application's database user can access. The RemoteControl interface (RPCInterface = json/xml) must be enabled, which is not the default.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-50636
EUVD
EUVD-2026-35770
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
limesurvey limesurvey *
limesurvey limesurvey to 8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50636 is a SQL injection vulnerability in LimeSurvey's RemoteControl API methods invite_participants and remind_participants. These methods take a user-supplied array of token IDs and directly concatenate them into an SQL query without proper input validation or parameterization. Because LimeSurvey uses PDO with emulated prepared statements and allows MySQL multi-statements, an authenticated attacker with tokens/update permission can inject malicious SQL code. This enables the attacker to execute stacked queries, allowing arbitrary reading and writing of database data.

The attacker can read sensitive data such as administrator password hashes, survey responses containing personally identifiable information (PII), session records, and global settings. They can also perform destructive actions like overwriting administrator passwords for immediate account takeover or dropping and truncating database tables. Exploitation requires the RemoteControl interface to be enabled, which is not enabled by default.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access and control over the LimeSurvey application database. An attacker can read sensitive information such as administrator bcrypt password hashes, survey response PII, session data, and global settings.

Additionally, the attacker can perform destructive operations such as overwriting administrator passwords to take over accounts immediately, or dropping and truncating database tables, potentially causing data loss and service disruption.

Because the attack requires authenticated access with tokens/update permission and the RemoteControl interface enabled, the risk is limited to environments where these conditions are met.

Detection Guidance

This vulnerability involves SQL injection through the RemoteControl API methods invite_participants and remind_participants in LimeSurvey. Detection can focus on monitoring for unusual or suspicious API calls to these methods, especially those containing token-ID arrays.

Since exploitation requires authenticated access with tokens/update permission and the RemoteControl interface enabled, detection can include reviewing logs for unexpected or unauthorized usage of these API endpoints.

Specific commands or queries to detect exploitation attempts are not provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, update LimeSurvey to a version that includes the fix merged on June 5, 2026, which replaces unsafe SQL concatenation with parameterized queries using Yii's addInCondition() method.

If immediate patching is not possible, consider disabling the RemoteControl interface (RPCInterface = json/xml) if it is not required, as it is not enabled by default and is necessary for exploitation.

Additionally, review and restrict permissions to ensure that only trusted users have the tokens/update permission.

Compliance Impact

The vulnerability allows an authenticated attacker to perform SQL injection that can lead to unauthorized access and manipulation of sensitive data, including survey response personally identifiable information (PII), administrator password hashes, and session records.

Since LimeSurvey is used by organizations including those in healthcare and public sectors, and it prioritizes data privacy with GDPR compliance, this vulnerability poses a significant risk to compliance with standards like GDPR and HIPAA by potentially exposing or altering protected data.

Exploitation could result in breaches of confidentiality, integrity, and availability of sensitive data, which are core requirements of these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50636. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart