Deze pagina is nog niet vertaald naar uw taal. We werken eraan — de inhoud wordt voorlopig in het Engels weergegeven.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-46446: SQL Injection in SOGo
Platform
mariadb
Component
sogo
Opgelost in
5.12.7
CVE-2026-46446 describes a SQL Injection vulnerability discovered in SOGo, a groupware server. This flaw allows attackers to potentially manipulate database queries, leading to unauthorized data access or modification. The vulnerability impacts SOGo versions from 0.0.0 up to and including 5.12.7, specifically when PostgreSQL or MariaDB are used as the database backend and cleartext passwords are stored. A fix is available in version 5.12.7.
Impact en Aanvalsscenarioswordt vertaald…
Successful exploitation of CVE-2026-46446 could allow an attacker to gain unauthorized access to sensitive data stored within the SOGo database. This includes user credentials (usernames and passwords stored in cleartext), email content, calendar entries, and contact information. Depending on the database privileges of the SOGo user, an attacker might be able to escalate their access to the underlying operating system, potentially leading to complete system compromise. The cleartext password storage significantly amplifies the impact, as stolen credentials can be used for lateral movement within the network. The potential for data exfiltration and disruption of groupware services makes this a serious concern.
Uitbuitingscontextwordt vertaald…
CVE-2026-46446 was published on May 14, 2026. Its severity is rated HIGH with a CVSS score of 7.1. There is currently no indication that this vulnerability is being actively exploited in the wild, nor is it listed on KEV or EPSS. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests that it is likely to be exploited once a POC is released.
Dreigingsinformatie
Exploit Status
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Hoog — vereist een race condition, niet-standaard configuratie of specifieke omstandigheden.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Laag — gedeeltelijke of intermitterende denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2026-46446 is to upgrade SOGo to version 5.12.7 or later. Prior to upgrading, it's crucial to back up your SOGo configuration and database to ensure data integrity in case of unforeseen issues. If an immediate upgrade is not feasible, consider implementing stricter database access controls and limiting the privileges of the SOGo database user. While not a complete solution, using a Web Application Firewall (WAF) with SQL injection protection rules can provide an additional layer of defense. Monitor SOGo logs for suspicious database queries that might indicate exploitation attempts. After upgrading, verify the fix by attempting a SQL injection attack on the changePasswordForLogin endpoint and confirming that it is properly sanitized.
Hoe te verhelpenwordt vertaald…
Actualice SOGo a la versión 5.12.7 o posterior para mitigar la vulnerabilidad de inyección SQL. Esta actualización corrige la forma en que se manejan las contraseñas en la función changePasswordForLogin, evitando la posibilidad de inyección SQL cuando se utilizan PostgreSQL o MariaDB con contraseñas almacenadas en texto plano.
Veelgestelde vragenwordt vertaald…
What is CVE-2026-46446 — SQL Injection in SOGo?
CVE-2026-46446 is a SQL Injection vulnerability affecting SOGo versions 0.0.0 through 5.12.7. It allows attackers to potentially manipulate database queries when PostgreSQL or MariaDB are used with cleartext passwords.
Am I affected by CVE-2026-46446 in SOGo?
You are affected if you are running SOGo versions 0.0.0 through 5.12.7 and using PostgreSQL or MariaDB with cleartext passwords. Upgrade to version 5.12.7 to resolve the issue.
How do I fix CVE-2026-46446 in SOGo?
The recommended fix is to upgrade SOGo to version 5.12.7 or later. Back up your configuration and database before upgrading.
Is CVE-2026-46446 being actively exploited?
Currently, there is no public evidence of CVE-2026-46446 being actively exploited in the wild, but the vulnerability's nature suggests potential for future exploitation.
Where can I find the official SOGo advisory for CVE-2026-46446?
Refer to the official SOGo security advisory for CVE-2026-46446 on the SOGo website: [https://www.sogo.nu/security/advisories](https://www.sogo.nu/security/advisories) (replace with actual advisory URL when available).
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Probeer het nu — geen account
Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.
Sleep uw afhankelijkheidsbestand hierheen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...