Esta página ainda não foi traduzida para o seu idioma. Exibindo conteúdo em inglês enquanto trabalhamos nisso.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-46446: SQL Injection in SOGo
Plataforma
mariadb
Componente
sogo
Corrigido em
5.12.7
CVE-2026-46446 describes a SQL Injection vulnerability discovered in SOGo, a groupware server. This flaw allows attackers to potentially manipulate database queries, leading to unauthorized data access or modification. The vulnerability impacts SOGo versions from 0.0.0 up to and including 5.12.7, specifically when PostgreSQL or MariaDB are used as the database backend and cleartext passwords are stored. A fix is available in version 5.12.7.
Impacto e Cenários de Ataquetraduzindo…
Successful exploitation of CVE-2026-46446 could allow an attacker to gain unauthorized access to sensitive data stored within the SOGo database. This includes user credentials (usernames and passwords stored in cleartext), email content, calendar entries, and contact information. Depending on the database privileges of the SOGo user, an attacker might be able to escalate their access to the underlying operating system, potentially leading to complete system compromise. The cleartext password storage significantly amplifies the impact, as stolen credentials can be used for lateral movement within the network. The potential for data exfiltration and disruption of groupware services makes this a serious concern.
Contexto de Exploraçãotraduzindo…
CVE-2026-46446 was published on May 14, 2026. Its severity is rated HIGH with a CVSS score of 7.1. There is currently no indication that this vulnerability is being actively exploited in the wild, nor is it listed on KEV or EPSS. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests that it is likely to be exploited once a POC is released.
Inteligência de Ameaças
Status do Exploit
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Alta — exige condição de corrida, configuração não padrão ou circunstâncias específicas.
- Privileges Required
- Baixo — qualquer conta de usuário válida é suficiente.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Inalterado — impacto limitado ao componente vulnerável.
- Confidentiality
- Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
- Integrity
- Alto — o atacante pode escrever, modificar ou excluir qualquer dado.
- Availability
- Baixo — negação de serviço parcial ou intermitente.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2026-46446 is to upgrade SOGo to version 5.12.7 or later. Prior to upgrading, it's crucial to back up your SOGo configuration and database to ensure data integrity in case of unforeseen issues. If an immediate upgrade is not feasible, consider implementing stricter database access controls and limiting the privileges of the SOGo database user. While not a complete solution, using a Web Application Firewall (WAF) with SQL injection protection rules can provide an additional layer of defense. Monitor SOGo logs for suspicious database queries that might indicate exploitation attempts. After upgrading, verify the fix by attempting a SQL injection attack on the changePasswordForLogin endpoint and confirming that it is properly sanitized.
Como corrigirtraduzindo…
Actualice SOGo a la versión 5.12.7 o posterior para mitigar la vulnerabilidad de inyección SQL. Esta actualización corrige la forma en que se manejan las contraseñas en la función changePasswordForLogin, evitando la posibilidad de inyección SQL cuando se utilizan PostgreSQL o MariaDB con contraseñas almacenadas en texto plano.
Perguntas frequentestraduzindo…
What is CVE-2026-46446 — SQL Injection in SOGo?
CVE-2026-46446 is a SQL Injection vulnerability affecting SOGo versions 0.0.0 through 5.12.7. It allows attackers to potentially manipulate database queries when PostgreSQL or MariaDB are used with cleartext passwords.
Am I affected by CVE-2026-46446 in SOGo?
You are affected if you are running SOGo versions 0.0.0 through 5.12.7 and using PostgreSQL or MariaDB with cleartext passwords. Upgrade to version 5.12.7 to resolve the issue.
How do I fix CVE-2026-46446 in SOGo?
The recommended fix is to upgrade SOGo to version 5.12.7 or later. Back up your configuration and database before upgrading.
Is CVE-2026-46446 being actively exploited?
Currently, there is no public evidence of CVE-2026-46446 being actively exploited in the wild, but the vulnerability's nature suggests potential for future exploitation.
Where can I find the official SOGo advisory for CVE-2026-46446?
Refer to the official SOGo security advisory for CVE-2026-46446 on the SOGo website: [https://www.sogo.nu/security/advisories](https://www.sogo.nu/security/advisories) (replace with actual advisory URL when available).
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Experimente agora — sem conta
Faça upload de qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Receba um relatório de vulnerabilidades instantaneamente. Fazer upload de um arquivo é só o começo: com uma conta, você obtém monitoramento contínuo, alertas por Slack/email, relatórios multiprojeto e white-label.
Arraste e solte seu arquivo de dependências
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...