Primary

Context

SOGo SQL Injection Vulnerability in Access Control List Management

Vulnerability

Patched

A SQL injection vulnerability has been identified in SOGo version 5.12.7, specifically within the Access Control List (ACL) management feature. This vulnerability allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Exploitation of this vulnerability enables attackers to inject malicious SQL code that can write extracted data into the sogo_acl table, which can then be retrieved through the /acls API, creating an out-of-band data exfiltration channel.

Impact

Exploitation of this vulnerability allows for arbitrary data extraction from the database, with the injected SQL subqueries executed in the context of the database user, potentially leading to unauthorized data access or manipulation.

Remediation

Users are advised to update to SOGo version 5.12.8, which addresses this vulnerability.

Added: May 18, 2026, 9:21 PM

Updated: May 18, 2026, 9:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

2.5

exploitability

5.2

remediation

7.7

relevance

8.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

2.5

exploitability

5.2

remediation

7.7

relevance

8.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SOGo SQL Injection Vulnerability in Access Control List Management

Vulnerability

Impact

Remediation

Affected Products

SOGo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating