Skip to content
Threat Feed
high threat

CVE-2026-8851: SOGo SQL Injection Vulnerability in ACL Management

SOGo 5.12.7 is vulnerable to SQL injection in the Access Control List management functionality, allowing authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint, which can be exfiltrated via the /acls API.

SOGo version 5.12.7 is susceptible to a SQL injection vulnerability within its Access Control List (ACL) management feature. Authenticated users can exploit this flaw by injecting malicious SQL subqueries via the uid parameter in the addUserInAcls endpoint. Successful exploitation allows attackers to extract arbitrary data from the database. The injected SQL code can be crafted to write the extracted data into the sogo_acl table. Attackers can then retrieve this data through the /acls API, effectively creating an out-of-band data exfiltration channel. This vulnerability, identified as CVE-2026-8851, poses a significant risk to organizations using vulnerable versions of SOGo.

Attack Chain

  1. An attacker authenticates to the SOGo application.
  2. The attacker crafts a malicious HTTP request to the addUserInAcls endpoint.
  3. The request includes a SQL injection payload within the uid parameter.
  4. The SOGo application processes the request without proper sanitization, executing the injected SQL code.
  5. The injected SQL code extracts sensitive data from the database and writes it into the sogo_acl table.
  6. The attacker sends a request to the /acls API endpoint.
  7. The SOGo application retrieves the data from the sogo_acl table.
  8. The attacker receives the extracted data, achieving out-of-band data exfiltration.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-8851) allows attackers to extract arbitrary data from the SOGo database. This could include sensitive user information, credentials, and other confidential data. The CVSS v3.1 base score is 8.1, reflecting the high potential for data breach and compromise of the SOGo application and its underlying database.

Recommendation

  • Upgrade SOGo to a patched version beyond 5.12.7 to remediate CVE-2026-8851.
  • Deploy the Sigma rule Detect SOGo addUserInAcls SQL Injection to detect potential exploitation attempts against the addUserInAcls endpoint.
  • Monitor web server logs for suspicious requests to the /acls API after unusual activity on the addUserInAcls endpoint, as this is the exfiltration point.
  • Implement input validation and sanitization on the uid parameter of the addUserInAcls endpoint if patching is not immediately feasible.

Detection coverage 2

Detect SOGo addUserInAcls SQL Injection

high

Detects SQL injection attempts in the addUserInAcls endpoint by looking for SQL syntax in the uid parameter.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detect SOGo Data Exfiltration via acls API

medium

Detects potential data exfiltration by monitoring requests to the `/acls` endpoint after detecting SQL injection attempts in addUserInAcls

sigma tactics: exfiltration techniques: T1041 sources: webserver

Detection queries are available on the platform. Get full rules →