Skip to main content

elFinder EUVDEUVD-2026-32607

| CVE-2026-44521 HIGH
SQL Injection (CWE-89)
2026-05-11 https://github.com/Studio-42/elFinder GHSA-c3gj-q88f-7hqj
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 16:30 vuln.today
Analysis Generated
May 11, 2026 - 16:30 vuln.today
CVE Published
May 11, 2026 - 16:11 nvd
HIGH 8.8

DescriptionGitHub Advisory

Summary

An authenticated SQL injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized data disclosure and denial of service.

This vulnerability only affects installations configured to use the MySQL volume driver. Installations using the default LocalFileSystem driver are not affected.

Description

A vulnerability in elFinder's MySQL volume driver (elFinderVolumeMySQL) allows authenticated SQL injection through a crafted file hash passed via the target parameter.

The issue is caused by two behaviors working together:

  1. File hashes are decoded without validating that the decoded value is a valid MySQL object identifier.
  2. The decoded value is then used in MySQL driver queries, including cacheDir(), _joinPath(), _stat(), and _fopen().

Because the MySQL storage schema uses numeric id and parent_id values, an authenticated user can supply a crafted hash that alters the intended SQL query logic. Successful exploitation can lead to unauthorized data disclosure and denial of service. The extent of impact depends on the privileges granted to the configured MySQL account.

This vulnerability only affects installations configured to use the MySQL volume driver. Installations using the default LocalFileSystem driver are not affected.

Impact

An authenticated user, including a user with read-only access to the affected volume, can exploit this issue to:

  • disclose data accessible to the configured MySQL account, including file contents stored by the driver and database metadata
  • trigger denial of service through expensive or unexpectedly broad query results that can lead to excessive memory consumption

The severity of data exposure depends on the privileges granted to the configured MySQL account.

AnalysisAI

Authenticated SQL injection in elFinder's MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including those with read-only access, to inject malicious SQL via crafted file hash parameters. The vulnerability stems from improper validation of decoded file hashes before use in SQL queries, enabling attackers to manipulate query logic through the target parameter. This affects only installations using the non-default MySQL volume driver (versions <=2.1.67); the default LocalFileSystem driver is not vulnerable. Vendor-released patch available in version 2.1.68. CVSS 8.8 with network vector and low attack complexity indicates straightforward exploitation for authenticated attackers.

Technical ContextAI

elFinder is a PHP-based open-source file manager for web applications that provides a graphical interface for file operations. The vulnerable MySQL volume driver (elFinderVolumeMySQL) stores file metadata and contents in MySQL databases using numeric id and parent_id schema values. The flaw represents a classic SQL injection vulnerability (CWE-89) where user-controlled input-specifically the target parameter containing base64-encoded file hashes-is decoded and concatenated into SQL queries without proper sanitization or parameterization. Affected functions include cacheDir(), _joinPath(), _stat(), and _fopen(), all of which construct dynamic SQL queries using the decoded hash value. The vulnerability exists in the composer package studio-42/elfinder versions up to and including 2.1.67. Because file hashes are treated as trusted identifiers after decoding rather than validated against MySQL object identifier constraints, attackers can inject SQL fragments that alter query semantics, bypassing both authentication boundaries and intended access controls.

RemediationAI

Upgrade elFinder to version 2.1.68 or later, which contains fixes for the SQL injection vulnerability in the MySQL volume driver. For composer-managed installations, update the studio-42/elfinder package to version 2.1.68 using composer update studio-42/elfinder. Refer to the official GitHub Security Advisory at https://github.com/Studio-42/elFinder/security/advisories/GHSA-c3gj-q88f-7hqj for complete remediation guidance. If immediate patching is not feasible, consider migrating to the default LocalFileSystem volume driver as a temporary workaround, though this requires application reconfiguration and data migration with potential service disruption. As a defense-in-depth measure, ensure the MySQL database account used by elFinder follows least-privilege principles-restricting permissions to only the specific database and tables required for file storage operations will limit the scope of potential data disclosure even if SQL injection occurs. Network segmentation to restrict database access only from application servers and implementation of web application firewall rules to detect SQL injection patterns in file hash parameters can provide additional layers of protection, though these do not eliminate the underlying vulnerability.

Share

EUVD-2026-32607 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy