VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 14, 2026

CVE-2026-12188

CVE-2026-12188

Description

SQL injection in Grit42 Grit's CSV export endpoint allows authenticated users to exfiltrate sensitive data and potentially escalate privileges.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in Grit42 Grit's CSV export endpoint allows authenticated users to exfiltrate sensitive data and potentially escalate privileges.

Vulnerability

A SQL injection vulnerability exists in Grit42 Grit versions 0.0.x through 0.11.0 (every public release) in the GritEntityController of the file modules/core/backend/app/controllers/concerns/grit/core/grit_entity_controller.rb. The CSV export endpoint GET /api/grit/:engine/:resource/export accepts user-controlled params[:columns] which is passed directly into Model.unscoped.select(*params[:columns]), allowing injection of raw SQL fragments. The sink was introduced in the initial commit 79b9dfa and affects any resource declared with resources_with_export [1].

Exploitation

An attacker needs only an active user account with network access to the application. No specific role is required, as the before_action chain does not enforce :check_read for the export action, allowing even zero-role users to reach the endpoint. By crafting a columns[] parameter containing SQL sub-selects, an authenticated user can manipulate the SELECT clause of the PostgreSQL query used for CSV export. The exploit is publicly available [1].

Impact

Successful exploitation enables an attacker to exfiltrate arbitrary data from the database, including sensitive columns such as crypted_password, single_access_token, forgot_token, activation_token, and two_factor_token from the grit_core_users table. Since the single_access_token is accepted as a permanent Authorization: Bearer credential, leaking an admin token allows an attacker to escalate to full administrative privileges in a single request [1].

Mitigation

As of the publication date, the vendor has not responded to disclosure and no patch or workaround is available. Users should restrict network access to the affected endpoint or disable CSV export functionality until a fix is released. The vulnerability is publicly known, and exploit code is available [1].

References
  1. thoropass-vuln-research-program/2026/SQL Injection in grit42 CSV Export Endpoint/README.md at main · natanmorette-thoropass/thoropass-vuln-research-program

AI Insight generated on Jun 14, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `export` action passes unsanitized user-supplied `params[:columns]` directly into `Model.unscoped.select()`, which accepts raw SQL fragments, enabling SQL injection."

Attack vector

An authenticated attacker sends a `GET` request to any resource endpoint that uses `resources_with_export` (e.g., `/api/grit/core/origins/export`) with a `columns[]` parameter containing raw SQL fragments. Because `Model.select` accepts raw SQL strings, the attacker can inject sub-selects into the `SELECT` clause. The `COPY (...)` statement then streams the result set directly into the CSV response, allowing the attacker to exfiltrate sensitive columns such as `single_access_token` from `grit_core_users`. No special role is required — any active user can trigger the endpoint. [ref_id=1] [CWE-89]

Affected code

The vulnerability resides in `modules/core/backend/app/controllers/concerns/grit/core/grit_entity_controller.rb` within the `export` action. The controller splats user-controlled `params[:columns]` directly into `Model.unscoped.select(*params[:columns])`, and the resulting relation is wrapped in a PostgreSQL `COPY (...)` statement that streams output into the HTTP response body. This sink was introduced in the initial commit and affects all versions from 0.0.x through 0.11.0.

What the fix does

The advisory recommends whitelisting `params[:columns]` against the model's actual schema columns and quoting the survivors with `klass.connection.quote_column_name`. This prevents arbitrary SQL fragments from reaching the `SELECT` clause. The patch also prefixes each column with `sub.` to avoid ambiguity in the subquery. Without this fix, any authenticated user can inject arbitrary sub-selects and exfiltrate any column the database role can see. [ref_id=1]

Preconditions

  • authAttacker must have an active user account on the grit instance (any role, including zero roles)
  • networkThe target grit instance must be reachable over HTTP/S
  • configThe endpoint must be a resource declared with `resources_with_export` in the routes

Generated on Jun 14, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.