CVE-2026-40846

Vulnerability

An unauthenticated SQL injection vulnerability exists in the system view of MB connect line's mbCONNECT24 and mymbCONNECT24 products. The flaw is caused by improper neutralization of special elements used in a SQL SELECT command. An attacker with low privileges can exploit this vulnerability remotely. Affected versions have not been explicitly listed in available references, but the advisory (VDE-2026-044) covers all mbCONNECT24/mymbCONNECT24 versions [1].

Exploitation

A low-privileged remote attacker can send a crafted request to the affected system view, injecting SQL commands through an unsanitized input field. No prior authentication is required, and no user interaction is necessary. The attacker does not need any special network position beyond being able to reach the vulnerable endpoint [1].

Impact

Successful exploitation leads to a total loss of confidentiality. The attacker can read arbitrary data from the database, including sensitive information such as credentials or configuration data. The impact is limited to disclosure; integrity and availability are not directly compromised [1].

Mitigation

As of the publication date (2026-05-27), no fixed version has been announced. The vendor has not provided workarounds in the available references. Users are advised to monitor the vendor’s advisory page for updates and restrict network access to the affected systems where possible [1].