Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
When the DLP is active, the UserCheck Web Portal contains an input-handling issue in the UserChoice flow. Under specific conditions, an attacker who can access the UserCheck Ask page could attempt to manipulate the Security Gateway's stored DLP/UserCheck incident information. This could lead to disruptions such as loss of stored incident entries, incorrect handling of pending approvals, or resource impact if the issue is abused repeatedly. Exposure is reduced if the UserCheck Portal is not accessible from untrusted networks.
AnalysisAI
SQL injection in Check Point Quantum Security Gateway's UserCheck Web Portal allows a remote unauthenticated attacker who can reach the UserCheck Ask page to manipulate the Security Gateway's stored DLP incident database when the DLP blade is active. Successful exploitation can cause loss of stored incident entries, disruption of pending approval workflows, or resource exhaustion through repeated abuse - all of which could undermine the integrity of an organization's data loss prevention audit trail. No public exploit code has been identified and EPSS is very low at 0.06% (18th percentile), with no CISA KEV listing at time of analysis.
Technical ContextAI
The affected component is the UserCheck Web Portal's UserChoice flow - an end-user-facing interface embedded in Check Point Quantum Security Gateway that allows employees to interact with DLP-triggered security events such as justifying, approving, or reporting data sharing attempts. CWE-89 (SQL Injection) confirms the root cause: the portal fails to properly sanitize or parameterize user-supplied input before constructing SQL queries, enabling an attacker to alter the queries executed against the Security Gateway's internal DLP/UserCheck incident data store. This is a server-side injection flaw in a security appliance's self-service portal, not a client-side issue. The CPE cpe:2.3:a:checkpoint:quantum_security_gateway:*:*:*:*:*:*:*:* confirms the vulnerability spans the entire Quantum Security Gateway product line across multiple major release trains. The vulnerability is conditional on the DLP blade being licensed and active, meaning it is not present in all deployments.
RemediationAI
Apply the vendor-released Jumbo Hotfix for your release train: for R82.10, upgrade to Jumbo Hotfix Take 20 or above; for R81.20, upgrade to Jumbo Hotfix Take 128 or above; for R82, upgrade to Jumbo Hotfix Take 92 or above. Gateways running R81.10 or earlier are on end-of-life or near-EOL code paths and should be upgraded to a supported release receiving current hotfix coverage before applying the relevant take. Consult the Check Point advisory at https://support.checkpoint.com/results/sk/sk184983 for exact take numbers, download links, and upgrade prerequisites. As an immediate compensating control prior to patching, restrict network access to the UserCheck Web Portal so it is unreachable from untrusted networks - implement firewall rules or network segmentation ensuring only internal or VPN-authenticated hosts can reach the portal. The vendor explicitly identifies this as a meaningful risk reduction. Note that this control does not eliminate the underlying SQL injection vulnerability and should not substitute for patching; it does, however, remove the unauthenticated network attack surface until the Jumbo Hotfix can be applied.
More in Quantum Security Gateway
View allDenial of service in Check Point Quantum Security Gateway allows remote unauthenticated attackers to crash the VPN proce
Denial of service in Check Point Quantum Security Gateway allows remote unauthenticated attackers to terminate the VPN s
Unauthenticated information disclosure in Check Point Quantum Security Gateway allows remote attackers to read internal
Heap-based buffer overflow in Check Point Quantum Security Gateway's HTTP-based service allows unauthenticated remote at
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31821
GHSA-22vq-6hm4-vrwc