YunaiV yudao-cloud SQL Injection Vulnerability in GoView Data Service

A SQL injection vulnerability has been identified in YunaiV yudao-cloud versions prior to 2026.01. The issue resides in the 'getDataBySQL' method of the 'GoViewDataServiceImpl' class, within the 'yudao-module-report-biz' module. This vulnerability allows authenticated users with the 'report:go-view-data:get-by-sql' permission to execute arbitrary SQL queries. The 'getDataBySQL' method directly executes user-provided SQL without proper validation or parameterization, enabling attackers to inject malicious SQL code. Exploitation of this vulnerability could lead to unauthorized data access, data manipulation, and database compromise.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary SQL queries, potentially leading to unauthorized access, modification, or deletion of database records. Additionally, it could result in a complete compromise of the database, with possibilities for data exfiltration, corruption, or destruction. Such actions could disrupt application functionality and, in some cases, allow for lateral movement to other systems through database links.

Reproduction

To reproduce this vulnerability, an authenticated user with the 'report:go-view-data:get-by-sql' permission can send a POST request to the '/admin-api/report/go-view-data/get-by-sql' endpoint. The request must include a JSON payload with the 'sql' parameter containing the malicious SQL injection. The server will execute the injected SQL without any protection, allowing the attacker to manipulate the database as desired.

Remediation

It is recommended to implement parameterized queries to prevent SQL injection. If direct SQL execution is necessary, validate the SQL against a whitelist of allowed patterns before execution. Alternatively, consider removing the endpoint entirely and using prepared statements or stored procedures instead.