Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
OSNexus QuantaStor SDS Manager is vulnerable to SQL injection in the login endpoint. The username field is not properly sanitized before being incorporated into a SQL query, allowing an unauthenticated remote attacker to bypass authentication and log in as an administrator without supplying a valid password.
AnalysisAI
Authentication bypass via SQL injection in OSNexus QuantaStor SDS Manager allows unauthenticated remote attackers to log in as administrator by injecting crafted input into the login endpoint's username field. The flaw carries a CVSS 9.8 rating and grants full administrative control over the storage management plane without any valid credentials. No public exploit identified at time of analysis, though the vulnerability was disclosed by researchers at Black Lantern Security (BLSOPS).
Technical ContextAI
QuantaStor is a software-defined storage (SDS) platform from OSNexus that unifies block, file, and object storage management across clusters; the SDS Manager is its web-based administrative interface. The root cause is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), specifically in the authentication handler where the username parameter is concatenated or interpolated into a SQL query without parameterization or proper escaping. Because the query result drives the authentication decision, classic SQLi payloads (e.g., tautologies in the username field) can return a row matching an admin account and short-circuit password verification, turning a data-layer flaw into a full authentication bypass. The CPE 'cpe:2.3:a:osnexus:quantastor:*:*:*:*:*:*:*:*' indicates all currently catalogued versions are potentially in scope until vendor advisory clarifies fixed versions.
RemediationAI
No vendor-released patch identified at time of analysis from the provided intelligence; verify the latest OSNexus advisories and apply any released QuantaStor SDS Manager update as soon as it is published. As compensating controls, immediately restrict network access to the QuantaStor management web interface to a dedicated administrative VLAN or jump-host via firewall ACLs so the login endpoint is not reachable from general user networks or the internet (trade-off: remote admins must use VPN/jump access); place the management UI behind a reverse proxy or WAF with rules blocking SQL metacharacters such as quotes, comments, and UNION/OR tautologies in the username field (trade-off: may break legitimate usernames containing special characters); enable verbose authentication logging and alert on any successful admin login from unexpected source IPs or any failed-then-successful login pattern indicative of injection probing. Consult the disclosure at https://blog.blacklanternsecurity.com/p/cve-2026-10880-osnexus-quantastor for indicators and verify CPE coverage against your deployed build.
More in Quantastor
View allOn the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, a flaw was found with the error message sent as a response
On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the REST call invoked does not exist, an error will be t
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34305
GHSA-wvpj-mf49-p9p4