Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
An authenticated SQL injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized data disclosure and denial of service.
This vulnerability only affects installations configured to use the MySQL volume driver. Installations using the default LocalFileSystem driver are not affected.
Description
A vulnerability in elFinder's MySQL volume driver (elFinderVolumeMySQL) allows authenticated SQL injection through a crafted file hash passed via the target parameter.
The issue is caused by two behaviors working together:
- File hashes are decoded without validating that the decoded value is a valid MySQL object identifier.
- The decoded value is then used in MySQL driver queries, including
cacheDir(),_joinPath(),_stat(), and_fopen().
Because the MySQL storage schema uses numeric id and parent_id values, an authenticated user can supply a crafted hash that alters the intended SQL query logic. Successful exploitation can lead to unauthorized data disclosure and denial of service. The extent of impact depends on the privileges granted to the configured MySQL account.
This vulnerability only affects installations configured to use the MySQL volume driver. Installations using the default LocalFileSystem driver are not affected.
Impact
An authenticated user, including a user with read-only access to the affected volume, can exploit this issue to:
- disclose data accessible to the configured MySQL account, including file contents stored by the driver and database metadata
- trigger denial of service through expensive or unexpectedly broad query results that can lead to excessive memory consumption
The severity of data exposure depends on the privileges granted to the configured MySQL account.
AnalysisAI
Authenticated SQL injection in elFinder's MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including those with read-only access, to inject malicious SQL via crafted file hash parameters. The vulnerability stems from improper validation of decoded file hashes before use in SQL queries, enabling attackers to manipulate query logic through the target parameter. This affects only installations using the non-default MySQL volume driver (versions <=2.1.67); the default LocalFileSystem driver is not vulnerable. Vendor-released patch available in version 2.1.68. CVSS 8.8 with network vector and low attack complexity indicates straightforward exploitation for authenticated attackers.
Technical ContextAI
elFinder is a PHP-based open-source file manager for web applications that provides a graphical interface for file operations. The vulnerable MySQL volume driver (elFinderVolumeMySQL) stores file metadata and contents in MySQL databases using numeric id and parent_id schema values. The flaw represents a classic SQL injection vulnerability (CWE-89) where user-controlled input-specifically the target parameter containing base64-encoded file hashes-is decoded and concatenated into SQL queries without proper sanitization or parameterization. Affected functions include cacheDir(), _joinPath(), _stat(), and _fopen(), all of which construct dynamic SQL queries using the decoded hash value. The vulnerability exists in the composer package studio-42/elfinder versions up to and including 2.1.67. Because file hashes are treated as trusted identifiers after decoding rather than validated against MySQL object identifier constraints, attackers can inject SQL fragments that alter query semantics, bypassing both authentication boundaries and intended access controls.
RemediationAI
Upgrade elFinder to version 2.1.68 or later, which contains fixes for the SQL injection vulnerability in the MySQL volume driver. For composer-managed installations, update the studio-42/elfinder package to version 2.1.68 using composer update studio-42/elfinder. Refer to the official GitHub Security Advisory at https://github.com/Studio-42/elFinder/security/advisories/GHSA-c3gj-q88f-7hqj for complete remediation guidance. If immediate patching is not feasible, consider migrating to the default LocalFileSystem volume driver as a temporary workaround, though this requires application reconfiguration and data migration with potential service disruption. As a defense-in-depth measure, ensure the MySQL database account used by elFinder follows least-privilege principles-restricting permissions to only the specific database and tables required for file storage operations will limit the scope of potential data disclosure even if SQL injection occurs. Network segmentation to restrict database access only from application servers and implementation of web application firewall rules to detect SQL injection patterns in file hash parameters can provide additional layers of protection, though these do not eliminate the underlying vulnerability.
Same weakness CWE-89 – SQL Injection
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32607
GHSA-c3gj-q88f-7hqj