Focalboard Second-Order SQL Injection Vulnerability in Category Reordering API

Vulnerability

A second-order SQL injection vulnerability has been identified in Focalboard version 8.0. The issue arises because the application fails to properly sanitize category IDs before using them in dynamic SQL statements during the category reordering process. This flaw allows authenticated attackers to inject malicious SQL payloads into the category ID field, which is then executed unsanitized when the category reorder API processes the stored value. Exploiting this vulnerability could lead to the exfiltration of sensitive data, including the password hashes of other users.

Impact

Exploitation of this vulnerability allows authenticated attackers to perform time-based blind SQL injection, exfiltrating sensitive data such as other users' password hashes.

Added: Apr 3, 2026, 2:26 PM

Updated: Apr 3, 2026, 2:26 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

2.5

exploitability

5.9

remediation

0.0

relevance

5.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

2.5

exploitability

5.9

remediation

0.0

relevance

5.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Focalboard Second-Order SQL Injection Vulnerability in Category Reordering API

Vulnerability

Impact

Affected Products

Mattermost Focalboard

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating