Skip to main content

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 15, 2026 - 08:01 EUVD
Analysis Generated
May 15, 2026 - 07:30 vuln.today
CVSS changed
May 15, 2026 - 07:22 NVD
8.7 (HIGH)
CVE Published
May 15, 2026 - 05:59 nvd
HIGH 8.7

DescriptionCVE.org

Improper input validation in Delphix Continuous Data connectors allows an authenticated user to execute arbitrary operating system commands on the staging or target host.

AnalysisAI

Command injection in Delphix Continuous Data database connectors allows authenticated attackers with low-privilege network access to execute arbitrary operating system commands on staging or target hosts. The vulnerability affects multiple database connector types (IBM DB2, MongoDB, PostgreSQL, MySQL, Oracle EBS, SAP HANA, CockroachDB, Couchbase, Cassandra, YugabyteDB) due to improper input validation (CWE-78). Network-based exploitation with low complexity (AV:N/AC:L) requires authentication (PR:L) but no user interaction, resulting in complete compromise of confidentiality, integrity, and availability on affected connector hosts. Vendor Perforce has published an advisory; no CISA KEV listing or public exploit identified at time of analysis.

Technical ContextAI

This vulnerability stems from CWE-78 (OS Command Injection) in the Delphix Continuous Data platform's connector architecture. Delphix Continuous Data provides database virtualization and continuous data delivery capabilities through specialized connectors that interface between source databases and Delphix engines. The affected connectors (IBM DB2, MongoDB, PostgreSQL, MySQL, Oracle EBS, SAP HANA, CockroachDB, Couchbase, Cassandra, YugabyteDB) likely share common code paths for processing user-supplied input during data synchronization, masking, or provisioning operations. Improper validation of user-controlled parameters enables injection of shell metacharacters or command sequences that are executed by the connector process on staging hosts (intermediate data processing systems) or target hosts (destination database servers). The CVSS 4.0 vector indicates scope is unchanged (SC:N/SI:N/SA:N), meaning the vulnerable component and impacted component share the same security authority, consistent with command execution on the connector host itself rather than lateral movement to other systems.

RemediationAI

Consult the Perforce vendor advisory at https://portal.perforce.com/s/cve/a91Qi000002z78HIAQ/authenticated-os-command-injection-in-delphix-continuous-data-connectors for exact patched connector versions and upgrade instructions. Primary remediation is upgrading all affected Delphix Continuous Data connectors to fixed versions specified in the advisory. Until patches can be applied, implement compensating controls: restrict authenticated access to Delphix connector management interfaces using network segmentation or firewall rules limiting source IPs to trusted administrator workstations; enforce multi-factor authentication for all Delphix platform accounts with connector access; audit and remove unnecessary user permissions to connector configuration and operation functions; enable comprehensive logging of connector command execution and monitor for unusual process spawning or shell metacharacter patterns in connector input parameters (note: input filtering as mitigation may break legitimate workflows and should be tested thoroughly). Consider temporarily disabling unused connector types to reduce attack surface. Prioritize patching connectors exposed to less-trusted user populations or those processing highly sensitive data on staging/target hosts.

Share

CVE-2026-8654 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy