Scan free
HIGHCVE-2026-46445CVSS 7.1

CVE-2026-46445: SQL Injection in SOGo

Platform

postgresql

Component

sogo

Fixed in

5.12.7

View on NVD
Save

CVE-2026-46445 describes a SQL Injection vulnerability affecting SOGo versions from 0.0.0 up to and including 5.12.7. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability is specifically triggered when SOGo is configured to use a PostgreSQL database. A fix is available in version 5.12.7.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-46445 could allow an attacker to bypass authentication and gain unauthorized access to the SOGo database. This could lead to the exfiltration of sensitive user data, including email content, calendar entries, and contact information. Depending on the database permissions, an attacker might also be able to modify or delete data, potentially disrupting SOGo services or causing data loss. The impact is particularly severe in environments where SOGo is used to manage critical business communications and data.

Exploitation Context

CVE-2026-46445 was published on May 14, 2026. Severity is rated as HIGH (CVSS 7.1). There are currently no publicly known exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on KEV (Known Exploited Vulnerabilities) as of the publication date. Monitor security advisories and threat intelligence feeds for any updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L7.1HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentsogo
VendorAlinto
Minimum version0.0.0
Maximum version5.12.7
Fixed in5.12.7

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published

Mitigation and Workarounds

The primary mitigation for CVE-2026-46445 is to upgrade SOGo to version 5.12.7 or later. Before upgrading, it's crucial to review the SOGo release notes for any potential breaking changes and test the upgrade in a non-production environment. As a temporary workaround, consider implementing strict input validation and sanitization on all user-supplied data that is used in SQL queries. While not a complete solution, this can help reduce the attack surface. Additionally, review PostgreSQL database user permissions to ensure they adhere to the principle of least privilege.

How to fix

Actualice SOGo a la versión 5.12.7 o posterior para mitigar la vulnerabilidad de inyección SQL. Esta actualización corrige una falla que permite a atacantes inyectar código SQL malicioso a través de consultas a la base de datos PostgreSQL.

Frequently asked questions

What is CVE-2026-46445 — SQL Injection in SOGo?

CVE-2026-46445 is a SQL Injection vulnerability affecting SOGo versions 0.0.0 through 5.12.7 when using PostgreSQL. It allows attackers to inject malicious SQL code to potentially access or modify the database.

Am I affected by CVE-2026-46445 in SOGo?

You are affected if you are running SOGo versions 0.0.0 through 5.12.7 and using a PostgreSQL database. Verify your SOGo version and upgrade if necessary.

How do I fix CVE-2026-46445 in SOGo?

Upgrade SOGo to version 5.12.7 or later. Review the release notes for potential breaking changes and test the upgrade in a non-production environment before applying it to production.

Is CVE-2026-46445 being actively exploited?

As of the publication date, there are no publicly known exploits or active campaigns targeting CVE-2026-46445. However, it's crucial to apply the fix promptly to mitigate potential future risks.

Where can I find the official SOGo advisory for CVE-2026-46445?

Refer to the official SOGo security advisories on the SOGo website: [https://www.sogo.nu/security/](https://www.sogo.nu/security/)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...