CVE-2026-40824

Vulnerability

An unauthenticated SQL injection vulnerability exists in the userid parameter of the accountstatus view of MB connect line's mbCONNECT24/mymbCONNECT24 products. The absence of proper neutralization of special elements used in a SQL UPDATE command allows an attacker to manipulate the underlying database query. The affected versions are those specified in the vendor advisory [1], which include multiple product lines.

Exploitation

The attacker must be a high-privileged remote user with network access to the application. No prior authentication is required for the vulnerable endpoint. The attacker injects malicious SQL into the userid parameter of the accountstatus view, triggering an UPDATE statement that can be altered to execute arbitrary SQL commands. The advisory confirms that the vulnerability is exploitable without user interaction [1].

Impact

Successful exploitation results in total loss of database confidentiality, as the attacker can read the entire database contents. Additionally, the attacker can modify values in a non-critical table, leading to some loss of integrity. No other integrity impact is described, and no denial-of-service or remote code execution are mentioned in the available references [1].

Mitigation

The vendor advisory from MB connect line GmbH [1] was published on 2026-05-27. Specific fixed versions and workarounds have not yet been disclosed in the available references. Users should monitor the vendor advisory for updated information. The CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.