Skip to main content

Umami Software CVE-2026-4317

| EUVDEUVD-2026-17349 CRITICAL
SQL Injection (CWE-89)
2026-03-31 INCIBE
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 31, 2026 - 10:15 euvd
EUVD-2026-17349
Analysis Generated
Mar 31, 2026 - 10:15 vuln.today
Patch released
Mar 31, 2026 - 10:15 nvd
Patch available
CVE Published
Mar 31, 2026 - 09:53 nvd
CRITICAL 9.3

DescriptionCVE.org

SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as 'prisma.rawQuery', 'prisma.$queryRawUnsafe' or raw queries with 'ClickHouse'). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions.

AnalysisAI

SQL injection in Umami Software's web analytics application allows authenticated attackers with low privileges to execute arbitrary SQL commands via unsanitized timezone parameter. The vulnerability affects raw query implementations (prisma.rawQuery, $queryRawUnsafe, ClickHouse raw queries) with CVSS 9.3 severity. Successful exploitation enables database compromise and execution of dangerous functions. Patch available per vendor advisory; no public exploit identified at time of analysis, though the straightforward attack vector (network-accessible, low complexity, low privileges required) presents significant risk for deployments with untrusted authenticated users.

Technical ContextAI

This vulnerability stems from improper neutralization of special SQL elements (CWE-89) in Umami Software's analytics application. The root cause involves direct string interpolation of user-supplied timezone parameter values into SQL queries without parameterization or sanitization. The application uses multiple database abstraction layers including Prisma ORM's unsafe raw query methods (prisma.rawQuery, prisma.$queryRawUnsafe) and direct ClickHouse database queries. These methods bypass Prisma's built-in SQL injection protections when developers use string concatenation rather than parameterized queries. The timezone parameter, likely used in date/time manipulation queries for analytics aggregation, provides an injection point where attackers can break out of the intended query context and append arbitrary SQL commands. The CVSS 4.0 vector indicates network-accessible exploitation with low attack complexity, requiring only low-privilege authentication, resulting in high confidentiality and integrity impact on vulnerable systems.

RemediationAI

Apply the vendor-released patch identified in the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/sql-inyection-umami-software-application immediately. Organizations should upgrade their Umami Software installation to the patched version specified in the advisory, following the vendor's standard upgrade procedures which typically involve updating the application code and restarting services. The fix likely involves replacing unsafe raw query methods with parameterized queries or implementing proper input validation and sanitization for the timezone parameter across all affected database query interfaces. As an interim mitigation measure before patching, administrators could implement input validation at the web application firewall or reverse proxy layer to restrict timezone parameter values to a whitelist of valid timezone identifiers, though this should not replace the vendor patch. After patching, conduct a security audit of database logs to identify any suspicious queries or unauthorized access attempts that may have occurred prior to remediation. Review access controls to ensure the principle of least privilege is applied to authenticated user accounts.

Share

CVE-2026-4317 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy