Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as 'prisma.rawQuery', 'prisma.$queryRawUnsafe' or raw queries with 'ClickHouse'). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions.
AnalysisAI
SQL injection in Umami Software's web analytics application allows authenticated attackers with low privileges to execute arbitrary SQL commands via unsanitized timezone parameter. The vulnerability affects raw query implementations (prisma.rawQuery, $queryRawUnsafe, ClickHouse raw queries) with CVSS 9.3 severity. Successful exploitation enables database compromise and execution of dangerous functions. Patch available per vendor advisory; no public exploit identified at time of analysis, though the straightforward attack vector (network-accessible, low complexity, low privileges required) presents significant risk for deployments with untrusted authenticated users.
Technical ContextAI
This vulnerability stems from improper neutralization of special SQL elements (CWE-89) in Umami Software's analytics application. The root cause involves direct string interpolation of user-supplied timezone parameter values into SQL queries without parameterization or sanitization. The application uses multiple database abstraction layers including Prisma ORM's unsafe raw query methods (prisma.rawQuery, prisma.$queryRawUnsafe) and direct ClickHouse database queries. These methods bypass Prisma's built-in SQL injection protections when developers use string concatenation rather than parameterized queries. The timezone parameter, likely used in date/time manipulation queries for analytics aggregation, provides an injection point where attackers can break out of the intended query context and append arbitrary SQL commands. The CVSS 4.0 vector indicates network-accessible exploitation with low attack complexity, requiring only low-privilege authentication, resulting in high confidentiality and integrity impact on vulnerable systems.
RemediationAI
Apply the vendor-released patch identified in the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/sql-inyection-umami-software-application immediately. Organizations should upgrade their Umami Software installation to the patched version specified in the advisory, following the vendor's standard upgrade procedures which typically involve updating the application code and restarting services. The fix likely involves replacing unsafe raw query methods with parameterized queries or implementing proper input validation and sanitization for the timezone parameter across all affected database query interfaces. As an interim mitigation measure before patching, administrators could implement input validation at the web application firewall or reverse proxy layer to restrict timezone parameter values to a whitelist of valid timezone identifiers, though this should not replace the vendor patch. After patching, conduct a security audit of database logs to identify any suspicious queries or unauthorized access attempts that may have occurred prior to remediation. Review access controls to ensure the principle of least privilege is applied to authenticated user accounts.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17349