Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature. This issue is fixed in FileMaker Cloud 2.22.0.5.
AnalysisAI
Remote code execution in Claris FileMaker Cloud allows authenticated administrators to execute arbitrary operating system commands via command injection in the External ODBC Data Source connection test feature. The vulnerability requires Admin Console privileges (PR:H) but no user interaction, enabling complete system compromise with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis. EPSS score of 0.23% (46th percentile) indicates low observed exploitation probability despite the RCE capability. Fixed in FileMaker Cloud version 2.22.0.5.
Technical ContextAI
This vulnerability exploits CWE-78 (OS Command Injection) in the External ODBC Data Source connection test feature within FileMaker Cloud's Admin Console. FileMaker Cloud is Claris's cloud-hosted database platform that enables organizations to deploy custom FileMaker applications. The ODBC (Open Database Connectivity) connection test feature is designed to validate connections to external data sources. The vulnerability arises from insufficient input sanitization when processing administrator-supplied parameters during ODBC connection testing, allowing shell metacharacters or command separators to break out of the intended context and execute arbitrary system commands with the privileges of the FileMaker Cloud service process. The network attack vector (AV:N) combined with low complexity (AC:L) means remote administrators can exploit this through the web-based Admin Console without requiring additional access or complex timing conditions.
RemediationAI
Upgrade to FileMaker Cloud version 2.22.0.5 or later, which contains input sanitization fixes for the ODBC connection test feature per vendor advisory 000049154 (https://support.claris.com/s/answerview?anum=000049154&language=en_US). As a temporary mitigation if immediate patching is not feasible, restrict Admin Console access through IP allowlisting to trusted administrator workstations only, implement multi-factor authentication for all admin accounts, enable comprehensive audit logging for Admin Console activities (particularly ODBC configuration changes), and monitor for unusual ODBC connection test requests or unexpected system process spawning. Note that access restrictions reduce exposure but do not eliminate the vulnerability - patching remains the only complete remediation. Review admin account usage and revoke unnecessary Admin Console privileges following principle of least privilege.
More in Filemaker Cloud
View allSame weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29879
GHSA-vxm5-52jm-vr7c