Skip to main content

OpenKM EUVD-2026-31834

| CVE-2026-42425 HIGH
SQL Injection (CWE-89)
2026-05-26 VulnCheck GHSA-2445-qj53-662g
Information Disclosure SQLi Openkm Community Edition Openkm Professional Edition
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 10:00 vuln.today
CVSS changed
May 26, 2026 - 15:22 NVD
7.2 (HIGH) 8.6 (HIGH)

DescriptionCVE.org

OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the DatabaseQuery interface. Attackers can submit malicious SQL queries through the qs parameter to the /admin/DatabaseQuery endpoint to extract sensitive data including usernames and password hashes from the OKM_USER table, modify permissions, or delete database records.

AnalysisAI

Authenticated SQL injection in OpenKM Community Edition (≤6.3.12) and Professional Edition (≤7.1.47) lets administrative users execute arbitrary SQL against the application database through the /admin/DatabaseQuery endpoint's qs parameter. Publicly available exploit code exists (Exploit-DB 52520 and a Nuclei template from Terra System Labs), enabling dumping of password hashes from OKM_USER, permission tampering, and data destruction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain OpenKM admin credentials
Delivery
Authenticate to /admin/ web console
Exploit
Submit malicious SQL via qs to /admin/DatabaseQuery
Execution
Dump OKM_USER hashes and tamper with permissions
Impact
Crack hashes offline and exfiltrate documents
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires valid OpenKM administrator credentials (CVSS PR:H) and network reach to the /admin/DatabaseQuery endpoint on a running Community Edition ≤6.3.12 or Professional Edition ≤7.1.47 instance; no user interaction or non-default configuration is needed because DatabaseQuery is a stock admin feature. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals diverge: CVSS 4.0 rates this 8.6 (High) with AV:N/AC:L/PR:H/UI:N and total CIA impact on the vulnerable system, and SSVC marks Technical Impact as 'total', but PR:H combined with Automatable:no and an EPSS of 0.03% (10th percentile) place actual exploitation likelihood in the low band. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has phished or credential-stuffed an OpenKM administrator account logs into the web UI, navigates to /admin/DatabaseQuery, and submits a SELECT against OKM_USER via the qs parameter to dump usernames and password hashes; the Exploit-DB entry 52520 and the Terra System Labs Nuclei template automate this end-to-end. Cracked hashes are then reused to access other corporate systems, or follow-up UPDATE/DELETE statements are issued to grant the attacker elevated roles inside OpenKM and silently exfiltrate sensitive documents.
Remediation No vendor-released patch identified at time of analysis - the references include the vendor site and the Terra System Labs / VulnCheck advisories but no fixed version is published for Community 6.3.12 or Professional 7.1.47, so operators should monitor https://www.openkm.com/ and the VulnCheck advisory (https://www.vulncheck.com/advisories/openkm-unrestricted-sql-execution-via-databasequery) for an upstream fix. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Immediately isolate internet-facing OpenKM instances or implement strict network access controls; force password reset for all administrative accounts and enforce multi-factor authentication. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-31834 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy