CVE-2026-40841

Vulnerability

An unauthenticated SQL injection vulnerability exists in the getProjectTags function of MB connect line's mbCONNECT24 and mymbCONNECT24 products due to improper neutralization of special elements used in a SQL SELECT command. This allows a remote attacker with low privileges to inject arbitrary SQL queries. The affected versions are not specified in the available reference [1], but the advisory indicates multiple SQLi vulnerabilities across the product line.

Exploitation

A remote attacker with low-privileged network access can exploit this vulnerability by sending a crafted HTTP request to the getProjectTags endpoint without requiring authentication. The attacker can manipulate input parameters such as tags to inject malicious SQL commands. Since the attacker is already low-privileged, they can reach the vulnerable function and execute the injection.

Impact

Successful exploitation results in arbitrary read access to the backend database, leading to total loss of confidentiality. The attacker can extract sensitive data, including user credentials, configuration details, or other proprietary information stored in the database.

Mitigation

No fixed version or patch is disclosed in the available reference [1]. Users are advised to monitor the vendor's advisory for updates. As a workaround, restrict network access to the affected products and consider implementing input validation or a web application firewall (WAF) to block suspicious SQL patterns until a patch is available.