VYPR
← All advisories
High severity8.8NVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026

CVE-2026-50636

CVE-2026-50636

Description

SQL injection in LimeSurvey's RemoteControl API allows attackers to read, modify, or delete database data, including admin credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in LimeSurvey's RemoteControl API allows attackers to read, modify, or delete database data, including admin credentials.

Vulnerability

The invite_participants and remind_participants methods within LimeSurvey's RemoteControl API are vulnerable to SQL injection. These methods pass a caller-supplied token-ID array directly into the TokenDynamic::findUninvited() function, which concatenates these values into an SQL IN clause without proper parameterization or input validation. This vulnerability affects LimeSurvey versions prior to the fix released on June 5, 2026 [2].

Exploitation

A remote, authenticated attacker with tokens/update permission on a survey can exploit this vulnerability. By injecting a crafted array element into the token-ID array, the attacker can trigger SQL injection. Because LimeSurvey uses PDO with emulated prepared statements and does not disable MySQL multi-statements, the injection supports stacked queries, allowing the attacker to append arbitrary SQL statements [2].

Impact

Successful exploitation allows an attacker to perform arbitrary read, write, or delete operations on any data accessible by the application's database user. This includes reading administrator bcrypt password hashes, survey response PII, session records, and global settings. Attackers can also overwrite administrator password hashes for immediate account takeover or drop/truncate tables [2].

Mitigation

A fix was released on June 5, 2026, by replacing addCondition/implode with addInCondition in the TokenDynamic::findUninvited() method [3]. Users should update to a patched version of LimeSurvey. The RemoteControl interface (RPCInterface = json/xml) must be enabled for this vulnerability to be exploitable, which is not the default configuration [2].

References
  1. LimeSurvey RemoteControl invite_participants/remind_participants SQL Injection
  2. Fixed issue #20549: [security] SQL Injection in RemoteControl invite_participants and remind_participants (reported by mccaulay) by Shnoulle · Pull Request #5031 · LimeSurvey/LimeSurvey

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
98cfee55df97

Fixed issue #20549: [security] SQL Injection in RemoteControl invite_participants and remind_participants (#5031)

https://github.com/LimeSurvey/LimeSurveyDenis ChenuJun 5, 2026via nvd-ref
commitPR #5031
1 file changed · +1 1
  • application/models/TokenDynamic.php+1 1 modified
    @@ -199,7 +199,7 @@ public function findUninvited($aTokenIds = false, $iMaxEmails = 0, $bEmail = tru
         }
 
         if ($aTokenIds) {
-            $command->addCondition("tid IN ('" . implode("', '", $aTokenIds) . "')");
+            $command->addInCondition("tid", $aTokenIds);
         }
 
         if ($iMaxEmails) {

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.