CVE-2026-40814

Vulnerability

An unauthenticated SQL injection vulnerability exists in the dataapi.php file's _mb24confi_getTagAlarm function in MB connect line mbCONNECT24 and mymbCONNECT24. The issue arises from improper neutralization of special elements used in a SQL SELECT command. Affected versions are not explicitly listed in the description, but the product is mbCONNECT24/mymbCONNECT24. The advisory [1] indicates multiple SQLi vulnerabilities.

Exploitation

An unauthenticated remote attacker can send a crafted HTTP request to the vulnerable endpoint, injecting SQL commands. No authentication or user interaction is required. The attacker only needs network access to the affected product.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries, leading to unauthorized access to the database. This results in a total loss of confidentiality, as per the CVE description. The attacker can retrieve sensitive data from the database.

Mitigation

The advisory [1] does not mention a specific fixed version or patch. Users should contact MB connect line GmbH for updates or apply any available security patches. If no fix is available, consider network-level protections such as firewalls or restricting access to the vulnerable interface.