Platform
go
Component
github.com/mattermost/focalboard
Fixed in
8.0.1
7.10.7
CVE-2026-25773 describes a Second-Order SQL Injection vulnerability in Focalboard, a project management application. This flaw allows an authenticated attacker to inject malicious SQL code into category IDs, which are then executed unsanitized during category reordering. The vulnerability impacts versions of Focalboard up to 7.10.6. Due to the product being unsupported, no official fix is available.
The primary impact of CVE-2026-25773 is the potential for data exfiltration. An attacker exploiting this vulnerability can inject SQL payloads into category IDs, enabling them to query the underlying database. Crucially, this allows the attacker to retrieve sensitive information, specifically password hashes of other users. While not direct access to passwords, these hashes could be cracked offline, compromising user accounts. The attack is time-based blind, meaning the attacker infers data by observing the database's response time to injected queries. This makes detection more challenging but doesn't fundamentally alter the risk.
This vulnerability was publicly disclosed on 2026-04-03. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The time-based blind nature of the SQL injection may increase the difficulty of exploitation, but the potential impact remains significant due to the possibility of password hash exfiltration.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
Given that Focalboard is an unsupported product, a direct patch is unavailable. Mitigation strategies must focus on reducing the attack surface and detecting potential exploitation. First, restrict access to the category reordering API to only trusted users. Implement strict input validation on all user-supplied data, even if it appears to be an integer. Consider using a Web Application Firewall (WAF) with SQL injection rules to block suspicious requests. Regularly monitor database logs for unusual query patterns or errors that might indicate an attack. While not a complete solution, these measures can significantly reduce the risk.
No solution is available as the product is not maintained. It is recommended to migrate to an alternative solution or implement additional security measures to mitigate the risk of SQL Injection (SQL Injection).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25773 is a SQL Injection vulnerability affecting Focalboard versions up to 7.10.6. It allows an attacker to inject malicious SQL code into category IDs, potentially leading to data exfiltration, including password hashes.
If you are using Focalboard version 7.10.6 or earlier, you are affected by this vulnerability. However, as Focalboard is unsupported, no official fix is available.
Due to Focalboard being unsupported, a direct fix is not available. Mitigation strategies include restricting access, input validation, WAF rules, and monitoring database logs.
As of the current date, there are no confirmed reports of active exploitation. However, the vulnerability is publicly known and could be targeted.
Because Focalboard is unsupported, there is no official advisory. Information can be found on the NVD and other security resources.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.