dotCMS Unauthenticated SQL Injection Vulnerability in Publish Audit API

A SQL injection vulnerability has been identified in the Publish Audit API endpoints of dotCMS Core versions 25.11.04-1 through 26.04.28-02. This vulnerability allows remote unauthenticated attackers to read, modify, or delete arbitrary database content. The issue arises because the endpoints did not enforce authentication and accepted unsanitized input that was directly interpolated into SQL queries. The vulnerability was introduced in the current release track and was never backported to LTS releases, which are not affected.

Impact

Exploitation of this vulnerability could lead to unauthorized access and manipulation of database content, including the potential destruction of records and associated data loss. Additionally, depending on the privileges of the database user, there could be opportunities for further lateral movement within the system.

Remediation

The vulnerability has been fixed in dotCMS Core version 26.04.28-03. Organizations using affected versions should upgrade to this version. The fix includes authentication enforcement, requiring an authenticated backend user with the publishing-queue portlet permission, and the use of parameterized queries to prevent SQL injection.