Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Improper input validation in Delphix Continuous Data connectors allows an authenticated user to execute arbitrary operating system commands on the staging or target host.
AnalysisAI
Command injection in Delphix Continuous Data database connectors allows authenticated attackers with low-privilege network access to execute arbitrary operating system commands on staging or target hosts. The vulnerability affects multiple database connector types (IBM DB2, MongoDB, PostgreSQL, MySQL, Oracle EBS, SAP HANA, CockroachDB, Couchbase, Cassandra, YugabyteDB) due to improper input validation (CWE-78). Network-based exploitation with low complexity (AV:N/AC:L) requires authentication (PR:L) but no user interaction, resulting in complete compromise of confidentiality, integrity, and availability on affected connector hosts. Vendor Perforce has published an advisory; no CISA KEV listing or public exploit identified at time of analysis.
Technical ContextAI
This vulnerability stems from CWE-78 (OS Command Injection) in the Delphix Continuous Data platform's connector architecture. Delphix Continuous Data provides database virtualization and continuous data delivery capabilities through specialized connectors that interface between source databases and Delphix engines. The affected connectors (IBM DB2, MongoDB, PostgreSQL, MySQL, Oracle EBS, SAP HANA, CockroachDB, Couchbase, Cassandra, YugabyteDB) likely share common code paths for processing user-supplied input during data synchronization, masking, or provisioning operations. Improper validation of user-controlled parameters enables injection of shell metacharacters or command sequences that are executed by the connector process on staging hosts (intermediate data processing systems) or target hosts (destination database servers). The CVSS 4.0 vector indicates scope is unchanged (SC:N/SI:N/SA:N), meaning the vulnerable component and impacted component share the same security authority, consistent with command execution on the connector host itself rather than lateral movement to other systems.
RemediationAI
Consult the Perforce vendor advisory at https://portal.perforce.com/s/cve/a91Qi000002z78HIAQ/authenticated-os-command-injection-in-delphix-continuous-data-connectors for exact patched connector versions and upgrade instructions. Primary remediation is upgrading all affected Delphix Continuous Data connectors to fixed versions specified in the advisory. Until patches can be applied, implement compensating controls: restrict authenticated access to Delphix connector management interfaces using network segmentation or firewall rules limiting source IPs to trusted administrator workstations; enforce multi-factor authentication for all Delphix platform accounts with connector access; audit and remove unnecessary user permissions to connector configuration and operation functions; enable comprehensive logging of connector command execution and monitor for unusual process spawning or shell metacharacter patterns in connector input parameters (note: input filtering as mitigation may break legitimate workflows and should be tested thoroughly). Consider temporarily disabling unused connector types to reduce attack surface. Prioritize patching connectors exposed to less-trusted user populations or those processing highly sensitive data on staging/target hosts.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30508
GHSA-x5cx-4h7g-fcf9