Cette page n'a pas encore été traduite dans votre langue. Affichage du contenu en anglais pendant que nous y travaillons.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-46446: SQL Injection in SOGo
Plateforme
mariadb
Composant
sogo
Corrigé dans
5.12.7
CVE-2026-46446 describes a SQL Injection vulnerability discovered in SOGo, a groupware server. This flaw allows attackers to potentially manipulate database queries, leading to unauthorized data access or modification. The vulnerability impacts SOGo versions from 0.0.0 up to and including 5.12.7, specifically when PostgreSQL or MariaDB are used as the database backend and cleartext passwords are stored. A fix is available in version 5.12.7.
Impact et Scénarios d'Attaquetraduction en cours…
Successful exploitation of CVE-2026-46446 could allow an attacker to gain unauthorized access to sensitive data stored within the SOGo database. This includes user credentials (usernames and passwords stored in cleartext), email content, calendar entries, and contact information. Depending on the database privileges of the SOGo user, an attacker might be able to escalate their access to the underlying operating system, potentially leading to complete system compromise. The cleartext password storage significantly amplifies the impact, as stolen credentials can be used for lateral movement within the network. The potential for data exfiltration and disruption of groupware services makes this a serious concern.
Contexte d'Exploitationtraduction en cours…
CVE-2026-46446 was published on May 14, 2026. Its severity is rated HIGH with a CVSS score of 7.1. There is currently no indication that this vulnerability is being actively exploited in the wild, nor is it listed on KEV or EPSS. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests that it is likely to be exploited once a POC is released.
Renseignement sur les Menaces
Statut de l'Exploit
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Élevée — nécessite une condition de course, configuration non standard ou circonstances spécifiques.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Faible — déni de service partiel ou intermittent.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2026-46446 is to upgrade SOGo to version 5.12.7 or later. Prior to upgrading, it's crucial to back up your SOGo configuration and database to ensure data integrity in case of unforeseen issues. If an immediate upgrade is not feasible, consider implementing stricter database access controls and limiting the privileges of the SOGo database user. While not a complete solution, using a Web Application Firewall (WAF) with SQL injection protection rules can provide an additional layer of defense. Monitor SOGo logs for suspicious database queries that might indicate exploitation attempts. After upgrading, verify the fix by attempting a SQL injection attack on the changePasswordForLogin endpoint and confirming that it is properly sanitized.
Comment corrigertraduction en cours…
Actualice SOGo a la versión 5.12.7 o posterior para mitigar la vulnerabilidad de inyección SQL. Esta actualización corrige la forma en que se manejan las contraseñas en la función changePasswordForLogin, evitando la posibilidad de inyección SQL cuando se utilizan PostgreSQL o MariaDB con contraseñas almacenadas en texto plano.
Questions fréquentestraduction en cours…
What is CVE-2026-46446 — SQL Injection in SOGo?
CVE-2026-46446 is a SQL Injection vulnerability affecting SOGo versions 0.0.0 through 5.12.7. It allows attackers to potentially manipulate database queries when PostgreSQL or MariaDB are used with cleartext passwords.
Am I affected by CVE-2026-46446 in SOGo?
You are affected if you are running SOGo versions 0.0.0 through 5.12.7 and using PostgreSQL or MariaDB with cleartext passwords. Upgrade to version 5.12.7 to resolve the issue.
How do I fix CVE-2026-46446 in SOGo?
The recommended fix is to upgrade SOGo to version 5.12.7 or later. Back up your configuration and database before upgrading.
Is CVE-2026-46446 being actively exploited?
Currently, there is no public evidence of CVE-2026-46446 being actively exploited in the wild, but the vulnerability's nature suggests potential for future exploitation.
Where can I find the official SOGo advisory for CVE-2026-46446?
Refer to the official SOGo security advisory for CVE-2026-46446 on the SOGo website: [https://www.sogo.nu/security/advisories](https://www.sogo.nu/security/advisories) (replace with actual advisory URL when available).
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Essayez maintenant — sans compte
scanZone.subtitle
Glissez-déposez votre fichier de dépendances
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...