Description
** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
Published: 2026-04-03
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exfiltration
Action: Monitor
AI Analysis

Impact

A second‑order SQL injection vulnerability exists in the category reorder endpoint of Focalboard version 8.0. An attacker who is authenticated can add a malicious SQL payload to the category identifier field. The payload is stored in the database and later executed unsanitized when the reorder API processes the stored value. This time‑based blind injection can retrieve sensitive data, including password hashes of other users. The flaw is a classic SQL injection weakness (CWE‑89).

Affected Systems

The affected product is Mattermost Focalboard, and the vulnerability applies specifically to version 8.0. The standalone product is no longer maintained and no fix will be released. Any deployment of this version that allows authenticated access to the category reorder API is impacted.

Risk and Exploitability

The CVSS base score of 8.1 marks this flaw as high severity. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Because an attacker must be authenticated to trigger the injection, the attack vector is localhost or within the trusted environment of the application. Once exploited, the attacker can read confidential data from the database, potentially leading to credential compromise and further lateral movement. No official patch is available, so the risk remains significant for any vulnerable installation.

Generated by OpenCVE AI on April 3, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disallow or restrict access to the category reorder endpoint for non‑essential users.
  • Validate and sanitize the category ID input on the server side before it is used in any SQL statement.
  • Refactor database access to use parameterized queries or an ORM that automatically escapes inputs.
  • Because the product is unsupported, consider migrating to an actively maintained solution or replacing the affected components.
  • Monitor application logs for unusual query patterns that could indicate an injection attempt.
  • If immediate migration is not possible, isolate the system from external network traffic and enforce strict network segmentation.

Generated by OpenCVE AI on April 3, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p32q-v29x-wq9r Focalboard doesn't sanitize category IDs before incorporating them into dynamic SQL statements
History

Tue, 28 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mattermost:focalboard:8.0.0:*:*:*:*:*:*:*

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost focalboard
Vendors & Products Mattermost
Mattermost focalboard

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description ** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
Title Focalboard Second-Order SQL Injection in category reorder endpoint allows data exfiltration (unsupported product, no fix)
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Mattermost Focalboard
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-04-03T14:57:00.729Z

Reserved: 2026-04-03T13:10:59.186Z

Link: CVE-2026-25773

cve-icon Vulnrichment

Updated: 2026-04-03T14:56:50.635Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T14:16:29.127

Modified: 2026-04-28T00:19:15.587

Link: CVE-2026-25773

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:16:35Z

Weaknesses