{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/sogo-5.12.7/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-8851"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SOGo 5.12.7"],"_cs_severities":["high"],"_cs_tags":["sql-injection","cve-2026-8851","data-exfiltration"],"_cs_type":"threat","_cs_vendors":["SOGo"],"content_html":"\u003cp\u003eSOGo version 5.12.7 is susceptible to a SQL injection vulnerability within its Access Control List (ACL) management feature. Authenticated users can exploit this flaw by injecting malicious SQL subqueries via the \u003ccode\u003euid\u003c/code\u003e parameter in the \u003ccode\u003eaddUserInAcls\u003c/code\u003e endpoint. Successful exploitation allows attackers to extract arbitrary data from the database. The injected SQL code can be crafted to write the extracted data into the \u003ccode\u003esogo_acl\u003c/code\u003e table. Attackers can then retrieve this data through the \u003ccode\u003e/acls\u003c/code\u003e API, effectively creating an out-of-band data exfiltration channel. This vulnerability, identified as CVE-2026-8851, poses a significant risk to organizations using vulnerable versions of SOGo.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the SOGo application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the \u003ccode\u003eaddUserInAcls\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a SQL injection payload within the \u003ccode\u003euid\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe SOGo application processes the request without proper sanitization, executing the injected SQL code.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code extracts sensitive data from the database and writes it into the \u003ccode\u003esogo_acl\u003c/code\u003e table.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the \u003ccode\u003e/acls\u003c/code\u003e API endpoint.\u003c/li\u003e\n\u003cli\u003eThe SOGo application retrieves the data from the \u003ccode\u003esogo_acl\u003c/code\u003e table.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the extracted data, achieving out-of-band data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-8851) allows attackers to extract arbitrary data from the SOGo database. This could include sensitive user information, credentials, and other confidential data. The CVSS v3.1 base score is 8.1, reflecting the high potential for data breach and compromise of the SOGo application and its underlying database.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SOGo to a patched version beyond 5.12.7 to remediate CVE-2026-8851.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SOGo addUserInAcls SQL Injection\u003c/code\u003e to detect potential exploitation attempts against the \u003ccode\u003eaddUserInAcls\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003e/acls\u003c/code\u003e API after unusual activity on the \u003ccode\u003eaddUserInAcls\u003c/code\u003e endpoint, as this is the exfiltration point.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003euid\u003c/code\u003e parameter of the \u003ccode\u003eaddUserInAcls\u003c/code\u003e endpoint if patching is not immediately feasible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T21:18:45Z","date_published":"2026-05-18T21:18:45Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sogo-sql-injection/","summary":"SOGo 5.12.7 is vulnerable to SQL injection in the Access Control List management functionality, allowing authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint, which can be exfiltrated via the /acls API.","title":"CVE-2026-8851: SOGo SQL Injection Vulnerability in ACL Management","url":"https://feed.craftedsignal.io/briefs/2026-05-sogo-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — SOGo 5.12.7","version":"https://jsonfeed.org/version/1.1"}