Description
BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although filter values are parameterized, the filter identifiers (keys) are not. An authenticated attacker with ROLE_ACCOUNT_MANAGER permissions can exploit this to execute arbitrary SQL commands.
Published: 2026-05-19
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An SQL Injection flaw resides in the EventRepository of BillaBear. User‑controlled metric filter names and aggregation property identifiers are embedded directly into SQL queries via sprintf without proper sanitization or identifier quoting. Although filter values are parameterized, the filter keys are not, allowing an attacker to inject arbitrary SQL statements. The vulnerability is exploitable by any authenticated user holding the ROLE_ACCOUNT_MANAGER permission, which can lead to unauthorized data retrieval, modification, or deletion within the database.

Affected Systems

The issue affects all BillaBear deployments using versions released before January 2026. No other vendor or product versions are listed as impacted.

Risk and Exploitability

The CVSS score is not disclosed, but the lack of documented exploitation and the need for privileged access implies a moderate to high risk if attackers can acquire the ROLE_ACCOUNT_MANAGER role. No EPSS score is available and the vulnerability is not present in the CISA KEV catalog. Attackers would likely exploit the flaw through the business‑logic API endpoints that accept metric filters, leveraging the authenticated session to inject malicious SQL.

Generated by OpenCVE AI on May 19, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BillaBear to a release issued on or after January 2026 to contain the patched EventRepository code.
  • Restrict users granted ROLE_ACCOUNT_MANAGER to only the minimal set of actions required for their duties, ideally removing the ability to apply arbitrary metric filters.
  • Implement server‑side validation and sanitization for all metric filter names and aggregation property identifiers, ensuring they are escaped or quoted properly before insertion into SQL statements.

Generated by OpenCVE AI on May 19, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title Unsanitized Metric Filters Enable SQL Injection in BillaBear EventRepository
Weaknesses CWE-89

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although filter values are parameterized, the filter identifiers (keys) are not. An authenticated attacker with ROLE_ACCOUNT_MANAGER permissions can exploit this to execute arbitrary SQL commands.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-19T15:10:48.852Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31069

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-19T16:16:20.230

Modified: 2026-05-19T18:04:29.373

Link: CVE-2026-31069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T17:00:12Z

Weaknesses