Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
UNSUPPORTED WHEN ASSIGNED Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
AnalysisAI
Second-order SQL injection in Focalboard 8.0 and earlier allows authenticated attackers to exfiltrate password hashes and other sensitive data via time-based blind injection through the category reorder API. Malicious SQL payloads injected into category ID fields persist in the database and execute unsanitized during subsequent reorder operations. Focalboard standalone is unsupported and will not receive a security patch. EPSS score of 0.01% indicates very low observed exploitation probability, consistent with the narrow attack surface requiring authenticated access to an end-of-life product.
Technical ContextAI
Focalboard is a Kanban-style project management tool (now archived by Mattermost). This vulnerability stems from CWE-89 (SQL Injection), specifically a second-order variant where malicious input is stored sanitized but later retrieved and executed without proper escaping. The category reorder API constructs dynamic SQL statements incorporating category IDs from database storage. Unlike first-order SQL injection where payloads execute immediately, second-order attacks require two steps: initial storage of the malicious payload and subsequent trigger via a different operation. Time-based blind SQL injection uses database timing functions (SLEEP, WAITFOR) to infer data one bit at a time by measuring response delays, enabling attackers to extract data even when application errors are suppressed. The affected CPE (cpe:2.3:a:mattermost:focalboard:*:*:*:*:*:*:*:*) confirms all versions through 8.0 are vulnerable.
RemediationAI
No vendor-released patch exists or will be developed as Focalboard standalone is end-of-life and unsupported by Mattermost. Organizations must migrate to actively maintained alternatives such as Mattermost Boards (the integrated successor), Trello, Jira, or other Kanban platforms. For systems requiring temporary continued operation, implement compensating controls: enforce principle of least privilege by restricting Focalboard user accounts to only trusted personnel (reducing PR:L attack surface), deploy web application firewall rules to detect SQL injection patterns in category reorder requests (monitor for SLEEP, WAITFOR, BENCHMARK functions and unusual URL-encoded payloads), enable database query logging and alerting for anomalous execution times indicating blind injection attempts, and segment Focalboard database credentials to prevent lateral movement if compromised. Network isolation (restrict access to internal users via VPN) reduces AV:N exposure. All compensating controls impose operational overhead and do not eliminate the vulnerability-migration remains the only complete remediation. Consult Mattermost documentation if using integrated Boards functionality within Mattermost platform.
More in Focalboard
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18651
GHSA-p32q-v29x-wq9r