Skip to main content

Mercator CVE-2026-49344

| EUVDEUVD-2026-38071 HIGH
Exposure of Private Personal Information to an Unauthorized Actor (CWE-359)
2026-06-19 GitHub_M
7.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable endpoint exploitable by any authenticated user (PR:L) with no user interaction; only confidentiality is impacted (read-only Query Engine exposing User data and password hashes).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 19, 2026 - 21:02 EUVD
Analysis Generated
Jun 19, 2026 - 20:15 vuln.today

DescriptionCVE.org

Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (/admin/queries/execute) accepts a JSON DSL (from / select / filters / traverse / output), translates it into an Eloquent query, and returns results as JSON. The controller method QueryController::execute() does not enforce an authorization gate, unlike store() and massDestroy() in the same controller which are correctly protected. As a result, any authenticated account - including the read-only Auditor role - can query models beyond its intended scope, including the User model. Additionally, the password column, although declared $hidden, is not excluded from filter predicates, which allows it to be used in LIKE conditions. The schema() and schemaModel() endpoints of the same controller are similarly unguarded. The Query Engine is read-only; integrity and availability are not affected. Version 2025.05.19 patches the issue.

AnalysisAI

Authorization bypass in Mercator information system mapping application prior to version 2025.05.19 allows any authenticated user - including the read-only Auditor role - to query arbitrary Eloquent models via the unprotected /admin/queries/execute endpoint. The flaw permits enumeration of the User model and even allows the supposedly $hidden password column to be probed via LIKE filter predicates, enabling blind extraction of password hashes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privilege Mercator login
Delivery
Reach /admin/queries/execute endpoint
Exploit
Submit JSON DSL targeting User model
Install
Use LIKE filters on hidden password column
C2
Infer password hashes blindly
Execute
Crack hashes offline
Impact
Escalate to administrative access

Vulnerability AssessmentAI

Exploitation Requires (1) a valid authenticated session on the target Mercator instance - any role suffices, including the read-only Auditor role, because the `QueryController::execute()` method has no role/permission gate; (2) network reachability to the `/admin/queries/execute` endpoint (and `/admin/queries/schema`, `/admin/queries/schemaModel` for enumeration); (3) Mercator version prior to 2025.05.19. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) of 7.1 accurately reflects a network-reachable, low-complexity confidentiality-only flaw requiring low privileges - any authenticated account, including the explicitly read-only Auditor role, is sufficient. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any valid Mercator login (e.g. a compromised Auditor contractor account) sends a POST to `/admin/queries/execute` with a JSON DSL targeting `from: User`, then uses `filters` with `LIKE` patterns against the `password` column to extract the bcrypt hash one character at a time through blind oracle responses. …
Remediation Vendor-released patch: upgrade Mercator to version 2025.05.19 or later, which adds the missing authorization gate to `QueryController::execute()`, `schema()`, and `schemaModel()` (see https://github.com/sourcentis/mercator/security/advisories/GHSA-q3r8-3h7c-96w3). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Review access logs and query audit logs for suspicious activity on the /admin/queries/execute endpoint, particularly from Auditor and read-only role accounts querying the User model; preserve logs for forensic analysis. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49344 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy