Skip to main content

FileMaker Cloud CVE-2026-43685

| EUVDEUVD-2026-29879 HIGH
OS Command Injection (CWE-78)
2026-05-12 apple GHSA-vxm5-52jm-vr7c
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 13, 2026 - 15:57 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
7.2 (None) 7.2 (HIGH)
Patch available
May 13, 2026 - 02:01 EUVD
CVE Published
May 12, 2026 - 22:24 nvd
UNKNOWN (no severity yet)
CVE Published
May 12, 2026 - 22:24 nvd
HIGH 7.2

DescriptionCVE.org

A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature. This issue is fixed in FileMaker Cloud 2.22.0.5.

AnalysisAI

Remote code execution in Claris FileMaker Cloud allows authenticated administrators to execute arbitrary operating system commands via command injection in the External ODBC Data Source connection test feature. The vulnerability requires Admin Console privileges (PR:H) but no user interaction, enabling complete system compromise with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis. EPSS score of 0.23% (46th percentile) indicates low observed exploitation probability despite the RCE capability. Fixed in FileMaker Cloud version 2.22.0.5.

Technical ContextAI

This vulnerability exploits CWE-78 (OS Command Injection) in the External ODBC Data Source connection test feature within FileMaker Cloud's Admin Console. FileMaker Cloud is Claris's cloud-hosted database platform that enables organizations to deploy custom FileMaker applications. The ODBC (Open Database Connectivity) connection test feature is designed to validate connections to external data sources. The vulnerability arises from insufficient input sanitization when processing administrator-supplied parameters during ODBC connection testing, allowing shell metacharacters or command separators to break out of the intended context and execute arbitrary system commands with the privileges of the FileMaker Cloud service process. The network attack vector (AV:N) combined with low complexity (AC:L) means remote administrators can exploit this through the web-based Admin Console without requiring additional access or complex timing conditions.

RemediationAI

Upgrade to FileMaker Cloud version 2.22.0.5 or later, which contains input sanitization fixes for the ODBC connection test feature per vendor advisory 000049154 (https://support.claris.com/s/answerview?anum=000049154&language=en_US). As a temporary mitigation if immediate patching is not feasible, restrict Admin Console access through IP allowlisting to trusted administrator workstations only, implement multi-factor authentication for all admin accounts, enable comprehensive audit logging for Admin Console activities (particularly ODBC configuration changes), and monitor for unusual ODBC connection test requests or unexpected system process spawning. Note that access restrictions reduce exposure but do not eliminate the vulnerability - patching remains the only complete remediation. Review admin account usage and revoke unnecessary Admin Console privileges following principle of least privilege.

Share

CVE-2026-43685 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy