Skip to main content

Open XDMoD CVE-2026-45779

| EUVDEUVD-2026-34908 CRITICAL
SQL Injection (CWE-89)
2026-06-05 security-advisories@github.com
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 05, 2026 - 22:01 EUVD
Source Code Evidence Fetched
Jun 05, 2026 - 20:32 vuln.today
Analysis Generated
Jun 05, 2026 - 20:32 vuln.today

DescriptionNVD

OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to execute arbitrary SQL statements. Exploitation requires no authentication or user interaction and can result in complete compromise of the underlying database. All deployments of Open XDMoD prior to 10.0.3 are impacted. This issue was discovered on 2023-08-03 and patched on 2023-08-04. At this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 10.0.3 on 2023-08-04. As a workaround, apply the patch manually.

AnalysisAI

SQL injection in Open XDMoD versions prior to 10.0.3 allows remote unauthenticated attackers to execute arbitrary SQL statements against the underlying database of this HPC metrics framework. The flaw requires no authentication or user interaction (CVSS 4.0 score 9.3) and can result in full database compromise. No public exploit identified at time of analysis and no evidence of in-the-wild exploitation per the vendor advisory.

Technical ContextAI

Open XDMoD (XD Metrics on Demand), maintained by UBCCR, is an open-source framework used by high-performance computing centers to collect, analyze, and visualize resource utilization metrics. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input is concatenated into SQL queries without proper parameterization or escaping. Based on the v10.0.3 release notes, the fix appears related to Metric Explorer filter handling where quote characters were not properly neutralized, allowing query syntax to be broken out of and arbitrary SQL appended. The two distinct patch files published (covering 0.0.0-8.6.0 and 9.0.0-10.0.2 branches) confirm the issue spans the entire historical codebase.

RemediationAI

Upgrade to Open XDMoD 10.0.3 or later, available at https://github.com/ubccr/xdmod/releases/tag/v10.0.3 - this is the vendor-released patch and the primary fix. For deployments that cannot upgrade immediately, the vendor provides manual source patches at https://open.xdmod.org/security_patches/GHSA-r33r-6g3c-r992-0_0_0-8_6_0.patch (for versions 0.0.0-8.6.0) and https://open.xdmod.org/security_patches/GHSA-r33r-6g3c-r992-9_0_0-10_0_2.patch (for versions 9.0.0-10.0.2); apply the patch matching your branch. As a compensating control until patching, restrict network access to the XDMoD web interface to trusted research-network IP ranges via firewall or reverse-proxy ACL, accepting that this breaks access for legitimate remote HPC users; disabling the Metric Explorer feature is not advisable as it is core functionality. Full vendor advisory: https://github.com/ubccr/xdmod/security/advisories/GHSA-r33r-6g3c-r992.

Share

CVE-2026-45779 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy