CVE-2026-40815

Vulnerability

An unauthenticated SQL injection vulnerability exists in the _mb24api_getUserAccount function of MB connect line's mbCONNECT24 and mymbCONNECT24 products. The flaw is caused by improper neutralization of special elements used in a SQL SELECT command. This allows an attacker to inject arbitrary SQL queries. The affected versions are not fully enumerated in the available references, but the advisory [1] states that multiple SQLi vulnerabilities affect the product family. The vulnerability requires no authentication and is remotely exploitable.

Exploitation

An unauthenticated remote attacker can send a specially crafted HTTP request to the affected endpoint that calls _mb24api_getUserAccount. By injecting SQL metas characters in the input parameters, the attacker can manipulate the underlying SQL query. No prior authentication, user interaction, or special privileges are required. The network position is remote over the internet.

Impact

Successful exploitation results in unauthorized read access to the database containing user accounts and potentially other sensitive data. The confidentiality of the system is completely compromised, as the attacker can extract all information stored in the database. The CVSS v3 base score of 7.5 (High) reflects the high impact on confidentiality. No impact on integrity or availability is reported.

Mitigation

The vendor MB connect line GmbH has not yet released a fixed version as of the publication date (2026-05-27). The advisory [1] does not mention a patch or workaround. Users should isolate affected systems from untrusted networks and apply any vendor updates as soon as they become available. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at this time.