CVE-2026-46446: SQL Injection in SOGo
Platform
mariadb
Component
sogo
Fixed in
5.12.7
CVE-2026-46446 describes a SQL Injection vulnerability discovered in SOGo, a groupware server. This flaw allows attackers to potentially manipulate database queries, leading to unauthorized data access or modification. The vulnerability impacts SOGo versions from 0.0.0 up to and including 5.12.7, specifically when PostgreSQL or MariaDB are used as the database backend and cleartext passwords are stored. A fix is available in version 5.12.7.
Impact and Attack Scenarios
Successful exploitation of CVE-2026-46446 could allow an attacker to gain unauthorized access to sensitive data stored within the SOGo database. This includes user credentials (usernames and passwords stored in cleartext), email content, calendar entries, and contact information. Depending on the database privileges of the SOGo user, an attacker might be able to escalate their access to the underlying operating system, potentially leading to complete system compromise. The cleartext password storage significantly amplifies the impact, as stolen credentials can be used for lateral movement within the network. The potential for data exfiltration and disruption of groupware services makes this a serious concern.
Exploitation Context
CVE-2026-46446 was published on May 14, 2026. Its severity is rated HIGH with a CVSS score of 7.1. There is currently no indication that this vulnerability is being actively exploited in the wild, nor is it listed on KEV or EPSS. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests that it is likely to be exploited once a POC is released.
Threat Intelligence
Exploit Status
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- Low — partial or intermittent denial of service. Attacker can degrade performance.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-46446 is to upgrade SOGo to version 5.12.7 or later. Prior to upgrading, it's crucial to back up your SOGo configuration and database to ensure data integrity in case of unforeseen issues. If an immediate upgrade is not feasible, consider implementing stricter database access controls and limiting the privileges of the SOGo database user. While not a complete solution, using a Web Application Firewall (WAF) with SQL injection protection rules can provide an additional layer of defense. Monitor SOGo logs for suspicious database queries that might indicate exploitation attempts. After upgrading, verify the fix by attempting a SQL injection attack on the changePasswordForLogin endpoint and confirming that it is properly sanitized.
How to fix
Actualice SOGo a la versión 5.12.7 o posterior para mitigar la vulnerabilidad de inyección SQL. Esta actualización corrige la forma en que se manejan las contraseñas en la función changePasswordForLogin, evitando la posibilidad de inyección SQL cuando se utilizan PostgreSQL o MariaDB con contraseñas almacenadas en texto plano.
Frequently asked questions
What is CVE-2026-46446 — SQL Injection in SOGo?
CVE-2026-46446 is a SQL Injection vulnerability affecting SOGo versions 0.0.0 through 5.12.7. It allows attackers to potentially manipulate database queries when PostgreSQL or MariaDB are used with cleartext passwords.
Am I affected by CVE-2026-46446 in SOGo?
You are affected if you are running SOGo versions 0.0.0 through 5.12.7 and using PostgreSQL or MariaDB with cleartext passwords. Upgrade to version 5.12.7 to resolve the issue.
How do I fix CVE-2026-46446 in SOGo?
The recommended fix is to upgrade SOGo to version 5.12.7 or later. Back up your configuration and database before upgrading.
Is CVE-2026-46446 being actively exploited?
Currently, there is no public evidence of CVE-2026-46446 being actively exploited in the wild, but the vulnerability's nature suggests potential for future exploitation.
Where can I find the official SOGo advisory for CVE-2026-46446?
Refer to the official SOGo security advisory for CVE-2026-46446 on the SOGo website: [https://www.sogo.nu/security/advisories](https://www.sogo.nu/security/advisories) (replace with actual advisory URL when available).
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...