VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 27, 2026

CVE-2026-40832

CVE-2026-40832

Description

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDevicegroups function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unauthenticated SQL injection in mbCONNECT24's getDevicegroups function allows low-privileged remote attackers to access the database, leading to total loss of confidentiality.

Vulnerability

The vulnerability is an unauthenticated SQL injection in the getDevicegroups function of MB connect line mbCONNECT24 and mymbCONNECT24 products [1]. Improper neutralization of special elements in a SQL SELECT command allows an attacker to inject arbitrary SQL queries. The affected versions are not explicitly listed in the available references, but the advisory [1] indicates multiple SQLi vulnerabilities exist in these products.

Exploitation

An attacker with network access to the vulnerable system can exploit this SQL injection without requiring authentication. The attacker sends a crafted request to the getDevicegroups endpoint containing malicious SQL syntax. No special privileges or user interaction is needed beyond network connectivity.

Impact

Successful exploitation results in the attacker being able to execute arbitrary SQL commands against the database. This leads to a total loss of confidentiality, as the attacker can retrieve any data stored in the database, including sensitive information.

Mitigation

As of the publication date (2026-05-27), no official patch or fixed version has been announced by MB connect line GmbH. Users are advised to monitor the vendor's advisory [1] and apply updates when they become available. No workarounds are documented in the available references.

References
  1. MB connect line: Multiple SQLi vulnerabilities in mbCONNECT24/mymbCONNECT24

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.