SQL Injection in DHIS2's in OrgUnit program association
Description
DHIS2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability affects the /api/programs/orgUnits?programs= API endpoint in DHIS2 versions prior to 2.36.10.1 and 2.37.6.1. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. The vulnerability is not exposed to a non-malicious user and requires a conscious attack to be exploited. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance's database. Security patches are now available for DHIS2 versions 2.36.10.1 and 2.37.6.1. One may apply mitigations at the web proxy level as a workaround. More information about these mitigations is available in the GitHub Security Advisory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in DHIS2's `/api/programs/orgUnits?programs=` endpoint allows authenticated users to read, edit, or delete database data; fixed in versions 2.36.10.1 and 2.37.6.1.
Vulnerability
A SQL injection vulnerability exists in the /api/programs/orgUnits?programs= API endpoint of DHIS2 versions prior to 2.36.10.1 and 2.37.6.1. The flaw allows an authenticated attacker to inject arbitrary SQL commands via the programs parameter. The vulnerable code path is reachable only by users who are logged into DHIS2; no unauthenticated exploitation is possible [4].
Exploitation
An attacker must first authenticate as a DHIS2 user. No special privileges beyond a valid login are required. The attacker then crafts a malicious programs parameter value containing SQL injection payloads and sends a request to the vulnerable endpoint. The injection is executed against the database [4].
Impact
Successful exploitation enables the attacker to read, edit, and delete arbitrary data in the DHIS2 instance's database. This includes sensitive information, configuration data, and potentially system-level compromise depending on database permissions [4].
Mitigation
Security patches are available in DHIS2 versions 2.36.10.1 and 2.37.6.1. Users on earlier versions (including those before 2.35) should upgrade to the latest supported patch. For implementations that cannot upgrade immediately, a workaround involves applying request filtering at the web proxy level (e.g., Apache2) to block malicious SQL patterns [4].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- dhis2/dhis2-corev5Range: <= 2.36.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/dhis2/dhis2-core/commit/3b245d04a58b78f0dc9bae8559f36ee4ca36dfacmitrex_refsource_MISC
- github.com/dhis2/dhis2-core/commit/ef04483a9b177d62e48dcf4e498b302a11f95e7dmitrex_refsource_MISC
- github.com/dhis2/dhis2-core/pull/10953mitrex_refsource_MISC
- github.com/dhis2/dhis2-core/security/advisories/GHSA-52vp-f7hj-cj92mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.