Skip to main content

Focalboard CVE-2026-25773

| EUVDEUVD-2026-18651 HIGH
SQL Injection (CWE-89)
2026-04-03 Mattermost GHSA-p32q-v29x-wq9r
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Updated
Apr 28, 2026 - 00:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 28, 2026 - 00:22 vuln.today
cvss_changed
EUVD ID Assigned
Apr 03, 2026 - 13:45 euvd
EUVD-2026-18651
Analysis Generated
Apr 03, 2026 - 13:45 vuln.today
CVE Published
Apr 03, 2026 - 13:24 nvd
HIGH 8.1

DescriptionCVE.org

UNSUPPORTED WHEN ASSIGNED Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.

AnalysisAI

Second-order SQL injection in Focalboard 8.0 and earlier allows authenticated attackers to exfiltrate password hashes and other sensitive data via time-based blind injection through the category reorder API. Malicious SQL payloads injected into category ID fields persist in the database and execute unsanitized during subsequent reorder operations. Focalboard standalone is unsupported and will not receive a security patch. EPSS score of 0.01% indicates very low observed exploitation probability, consistent with the narrow attack surface requiring authenticated access to an end-of-life product.

Technical ContextAI

Focalboard is a Kanban-style project management tool (now archived by Mattermost). This vulnerability stems from CWE-89 (SQL Injection), specifically a second-order variant where malicious input is stored sanitized but later retrieved and executed without proper escaping. The category reorder API constructs dynamic SQL statements incorporating category IDs from database storage. Unlike first-order SQL injection where payloads execute immediately, second-order attacks require two steps: initial storage of the malicious payload and subsequent trigger via a different operation. Time-based blind SQL injection uses database timing functions (SLEEP, WAITFOR) to infer data one bit at a time by measuring response delays, enabling attackers to extract data even when application errors are suppressed. The affected CPE (cpe:2.3:a:mattermost:focalboard:*:*:*:*:*:*:*:*) confirms all versions through 8.0 are vulnerable.

RemediationAI

No vendor-released patch exists or will be developed as Focalboard standalone is end-of-life and unsupported by Mattermost. Organizations must migrate to actively maintained alternatives such as Mattermost Boards (the integrated successor), Trello, Jira, or other Kanban platforms. For systems requiring temporary continued operation, implement compensating controls: enforce principle of least privilege by restricting Focalboard user accounts to only trusted personnel (reducing PR:L attack surface), deploy web application firewall rules to detect SQL injection patterns in category reorder requests (monitor for SLEEP, WAITFOR, BENCHMARK functions and unusual URL-encoded payloads), enable database query logging and alerting for anomalous execution times indicating blind injection attempts, and segment Focalboard database credentials to prevent lateral movement if compromised. Network isolation (restrict access to internal users via VPN) reduces AV:N exposure. All compensating controls impose operational overhead and do not eliminate the vulnerability-migration remains the only complete remediation. Consult Mattermost documentation if using integrated Boards functionality within Mattermost platform.

Share

CVE-2026-25773 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy