CVE-2026-40837
Description
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated SQL injection in the getProjectScalings function of mbCONNECT24/mymbCONNECT24 allows low-privileged remote attackers to read arbitrary database contents, leading to total loss of confidentiality.
Vulnerability
An unauthenticated SQL injection vulnerability exists in the getProjectScalings function of MB connect line mbCONNECT24 and mymbCONNECT24. The issue stems from improper neutralization of special elements used in a SQL SELECT command, allowing an attacker to inject arbitrary SQL queries. Affected versions are those detailed in the vendor advisory [1]; no specific version range is provided in the available references, but the advisory confirms the vulnerability affects mbCONNECT24/mymbCONNECT24 products.
Exploitation
An attacker with low-privileged remote access can exploit this vulnerability by sending a crafted request to the getProjectScalings endpoint. No prior authentication is required to trigger the injection. The attacker can manipulate input parameters to inject SQL commands, which are then executed against the database. The advisory [1] does not specify further prerequisites, but a remote network position and the ability to send HTTP requests to the affected product are necessary.
Impact
Successful exploitation results in unauthorized read access to the database, leading to a total loss of confidentiality. The attacker can retrieve sensitive data stored in the database, such as user credentials or other confidential information. The vulnerability does not appear to allow modification or deletion of data (based on the official description stating only confidentiality loss), and the attacker remains at the privilege level granted by the database user, likely with limited write privileges.
Mitigation
The vendor advisory [1] was published on May 27, 2026, but does not mention a specific fixed version or patch release date. Users should monitor the vendor's advisory page for updates. If no patch is yet available, administrators should consider restricting network access to the affected interface or applying web application firewall rules to block SQL injection patterns. No workaround is explicitly provided in the references. The CVE is not listed in CISA KEV as of the publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.