Skip to main content

TeknoPass CVE-2026-4104

| EUVDEUVD-2026-34243 CRITICAL
SQL Injection (CWE-89)
2026-06-04 iletisim@usom.gov.tr GHSA-mwfc-634j-85cc
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 12:30 vuln.today

DescriptionCVE.org

Authorization bypass through User-Controlled SQL primary key vulnerability in Akmer Informatics Automation Industry and Trade Ltd. Co. TeknoPass allows SQL Injection.

This issue affects TeknoPass: from 20210501 through 20260429.

AnalysisAI

SQL injection in Akmer Informatics TeknoPass versions 20210501 through 20260429 allows remote unauthenticated attackers to bypass authorization by manipulating a user-controlled SQL primary key. With a CVSS 9.8 score and full CIA impact under network-reachable, low-complexity conditions, successful exploitation can yield database compromise and authorization bypass. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

TeknoPass is a product from Akmer Informatics Automation Industry and Trade Ltd. Co., reported through Turkey's national CERT (USOM/siberguvenlik.gov.tr). The root cause class is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), specifically combined with authorization bypass through a user-controlled primary key: an attacker can supply a primary-key value that the application incorporates into a backend SQL query without proper parameterization, allowing both injection of SQL syntax and circumvention of object-level access checks that rely on the unmodified key. No CPE strings were provided in the input data, so the precise component, language stack, and database backend are not independently confirmed beyond the vendor name and product identifier.

RemediationAI

Patch availability is not explicitly stated in the supplied data, so this should be classified as patch available per vendor advisory pending direct confirmation - administrators should consult the USOM advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0309 and contact Akmer Informatics for a build released after 20260429, since every build in the 20210501-20260429 range is affected. Until a fixed build is deployed, restrict network reachability of the TeknoPass application to trusted management networks or VPN-only access, place a web application firewall in front of the application with rules tuned to block SQL meta-characters and tautology patterns in primary-key parameters (accepting the trade-off of possible false positives on legitimate inputs containing quotes or numeric overflows), and enable database-side query logging to detect anomalous identifiers in WHERE clauses. Reducing the database account's privileges to the minimum needed by the application limits, but does not eliminate, the impact of a successful injection.

Share

CVE-2026-4104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy