VYPR
← All advisories
High severity8.1NVD Advisory· Published May 18, 2026· Updated May 19, 2026

CVE-2026-8851

CVE-2026-8851

Description

SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQL code to write extracted data into the sogo_acl table and retrieve it through the /acls API, establishing an out-of-band data exfiltration channel.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SOGo <=5.12.7 has a SQL injection in the ACL addUserInAcls endpoint allowing authenticated users to extract arbitrary database data via out-of-band exfiltration.

Vulnerability

SOGo versions 5.12.7 and prior contain a SQL injection vulnerability in the Access Control List management functionality. The uid parameter of the addUserInAcls endpoint is not properly sanitized, allowing authenticated users to inject arbitrary SQL subqueries [1][2].

Exploitation

An attacker with valid credentials can send a crafted POST request to the addUserInAcls endpoint, embedding malicious SQL code in the uid parameter. The injected query executes within the database context, and the attacker can write the results of the subquery into the sogo_acl table. The exfiltrated data can then be retrieved by querying the /acls API, establishing an out-of-band data exfiltration channel [2].

Impact

Successful exploitation allows the attacker to extract arbitrary data from the SOGo database, potentially including sensitive information such as user credentials or email content. The CVSS v3 score is 8.1, indicating high severity, with high impact on confidentiality and integrity [2].

Mitigation

The vulnerability is fixed in SOGo version 5.12.8 [1][3]. Administrators are strongly advised to upgrade immediately, as all prior versions are affected. No workarounds have been published.

References
  1. SOGo v5.12.8 released
  2. SOGo 5.12.7 SQL Injection via addUserInAcls endpoint
  3. Release SOGo v5.12.8 · Alinto/sogo

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.