CRITICAL🇵🇱 Wersja polska

CVE-2026-8054

CVSS 10.0v4.0pub. 2026-05-27

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.

🤖 AI Analysis
How it works

The endpoints /api/auditPublishing/get and /api/auditPublishing/getAll did not enforce authentication and accepted unsanitized user input that was directly used to dynamically construct SQL queries. An attacker could inject malicious SQL expressions through HTTP request parameters, gaining full control over queries directed to the database. The patch introduced in version 26.04.28-03 now requires authentication as a backend user with permission to the publishing-queue portlet.

Impact

An attacker can read, modify, or destroy any content in the dotCMS system database without authentication, which may lead to disclosure of sensitive data, account takeover, or complete destruction of application data.

Mitigation & patch

dotCMS Core must be updated to version 26.04.28-03 or later. Patch details are available in the official vendor documentation at https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75 and in the pull request https://github.com/dotCMS/core/pull/35553.

Who is affected

dotCMS Core versions 25.11.04-1 through 26.04.28-02 (inclusive). LTS versions are not vulnerable — the vulnerable code was never backported to them.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLiAuth Bypass
CWE
References