CVE-2026-40826

Vulnerability

The vulnerability is an SQL injection in the dsgvo_contracts view of mbCONNECT24/mymbCONNECT24. The software fails to properly neutralize special elements in a SQL SELECT command, allowing an attacker to inject arbitrary SQL. The view is accessible without authentication, but exploitation requires high privileges. Affected versions are not explicitly listed in the available reference [1]; the advisory covers multiple SQLi vulnerabilities in mbCONNECT24/mymbCONNECT24.

Exploitation

An attacker with high privileges (e.g., administrative access) can send crafted SQL commands to the dsgvo_contracts view. The attack is remote and does not require prior authentication to the view itself. The exact steps are not detailed in the references, but the attacker would inject malicious SQL via input parameters to the view [1].

Impact

Successful exploitation leads to total loss of confidentiality, as the attacker can read arbitrary data from the database. The impact is limited to confidentiality; integrity and availability are not mentioned [1].

Mitigation

No specific fix version is provided in the available reference [1]. The advisory from CERT-VDE (VDE-2026-044) recommends applying vendor updates when available. Users should monitor MB connect line's security advisories for patches. No workaround is disclosed.