Description
SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as 'prisma.rawQuery', 'prisma.$queryRawUnsafe' or raw queries with 'ClickHouse'). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions.
Published: 2026-03-31
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary SQL Injection
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an SQL injection flaw that occurs when the application fails to sanitize the 'timezone' parameter. An attacker who has already authenticated can substitute malicious SQL into that parameter, allowing execution of arbitrary commands against the database. The consequence is direct compromise of database confidentiality and integrity, potentially enabling data exfiltration or modification. The weakness aligns with CWE‑89 for SQL Injection.

Affected Systems

The flaw affects the Umami Software application, specifically version 3.0.2 and any prior releases that share the same code path for the 'timezone' parameter. The vendor has released version 3.0.3 to address the issue. Systems running the affected version and having authenticated access to the web interface are at risk.

Risk and Exploitability

The vulnerability is quantified with a CVSS score of 9.3, reflecting a high risk to all affected users. While the EPSS metric is not available, the lack of KEV listing does not diminish the potential severity. The attack requires the attacker to be authenticated, and the exploit is facilitated by the improper handling of user input, which the vendor has confirmed can lead to arbitrary database modification. Administrators should assume the worst-case scenario of data loss or theft until the patch is applied. The likely attack vector involves sending a crafted HTTP request containing a malicious 'timezone' payload to the application endpoint post‑authentication.

Generated by OpenCVE AI on March 31, 2026 at 11:22 UTC.

Remediation

Vendor Solution

The vulnerability has been fixed by Umami Software team in version 3.0.3.

OpenCVE Recommended Actions

  • Apply the vendor patch to upgrade to version 3.0.3
  • Verify that the update has been applied and monitor the application for any abnormal behavior involving the 'timezone' parameter

Generated by OpenCVE AI on March 31, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
Description SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as 'prisma.rawQuery', 'prisma.$queryRawUnsafe' or raw queries with 'ClickHouse'). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions.
Title SQL inyection in Umami Software application
First Time appeared Umami Software Application
Umami Software Application umami Software
Weaknesses CWE-89
CPEs cpe:2.3:a:umami_software_application:umami_software:3.0.2:*:*:*:*:*:*:*
Vendors & Products Umami Software Application
Umami Software Application umami Software
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:H'}

Subscriptions

Umami Software Application Umami Software
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-31T18:04:01.109Z

Reserved: 2026-03-17T09:27:25.828Z

Link: CVE-2026-4317

cve-icon Vulnrichment

Updated: 2026-03-31T14:59:57.074Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-31T10:16:19.153

Modified: 2026-04-01T14:24:02.583

Link: CVE-2026-4317

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:39:16Z

Weaknesses