Skip to main content

OSNexus QuantaStor CVE-2026-10880

| EUVDEUVD-2026-34305 CRITICAL
SQL Injection (CWE-89)
2026-06-04 BLSOPS GHSA-wvpj-mf49-p9p4
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 04, 2026 - 19:01 EUVD
Analysis Generated
Jun 04, 2026 - 18:00 vuln.today

DescriptionCVE.org

OSNexus QuantaStor SDS Manager is vulnerable to SQL injection in the login endpoint. The username field is not properly sanitized before being incorporated into a SQL query, allowing an unauthenticated remote attacker to bypass authentication and log in as an administrator without supplying a valid password.

AnalysisAI

Authentication bypass via SQL injection in OSNexus QuantaStor SDS Manager allows unauthenticated remote attackers to log in as administrator by injecting crafted input into the login endpoint's username field. The flaw carries a CVSS 9.8 rating and grants full administrative control over the storage management plane without any valid credentials. No public exploit identified at time of analysis, though the vulnerability was disclosed by researchers at Black Lantern Security (BLSOPS).

Technical ContextAI

QuantaStor is a software-defined storage (SDS) platform from OSNexus that unifies block, file, and object storage management across clusters; the SDS Manager is its web-based administrative interface. The root cause is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), specifically in the authentication handler where the username parameter is concatenated or interpolated into a SQL query without parameterization or proper escaping. Because the query result drives the authentication decision, classic SQLi payloads (e.g., tautologies in the username field) can return a row matching an admin account and short-circuit password verification, turning a data-layer flaw into a full authentication bypass. The CPE 'cpe:2.3:a:osnexus:quantastor:*:*:*:*:*:*:*:*' indicates all currently catalogued versions are potentially in scope until vendor advisory clarifies fixed versions.

RemediationAI

No vendor-released patch identified at time of analysis from the provided intelligence; verify the latest OSNexus advisories and apply any released QuantaStor SDS Manager update as soon as it is published. As compensating controls, immediately restrict network access to the QuantaStor management web interface to a dedicated administrative VLAN or jump-host via firewall ACLs so the login endpoint is not reachable from general user networks or the internet (trade-off: remote admins must use VPN/jump access); place the management UI behind a reverse proxy or WAF with rules blocking SQL metacharacters such as quotes, comments, and UNION/OR tautologies in the username field (trade-off: may break legitimate usernames containing special characters); enable verbose authentication logging and alert on any successful admin login from unexpected source IPs or any failed-then-successful login pattern indicative of injection probing. Consult the disclosure at https://blog.blacklanternsecurity.com/p/cve-2026-10880-osnexus-quantastor for indicators and verify CPE coverage against your deployed build.

Share

CVE-2026-10880 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy