Description
A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature. This issue is fixed in FileMaker Cloud 2.22.0.5.
Published: 2026-05-12
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the External ODBC Data Source connection test feature of Claris FileMaker Cloud enables an administrator with access to the Admin Console to inject arbitrary operating system commands. By supplying unsanitized input, an attacker can execute any OS command on the underlying infrastructure, leading to complete compromise of confidentiality, integrity, and availability of the cloud instance.

Affected Systems

Claris FileMaker Cloud is affected by this vulnerability. The fix is available in version 2.22.0.5; all prior Cloud instances lacking this update are vulnerable. No specific earlier versions are listed, so any Cloud deployment before 2.22.0.5 is considered impacted.

Risk and Exploitability

The exploit requires Admin Console privileges, so it is limited to users with elevated access. The CVSS score is 7.2. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Remote code execution allows attackers full control over the host once they authenticate.

Generated by OpenCVE AI on May 13, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to FileMaker Cloud 2.22.0.5 or later.
  • Restrict Admin Console access to a minimal set of trusted users and enforce strong authentication.
  • If possible, disable or restrict the External ODBC Data Source connection test feature until a fix is applied.

Generated by OpenCVE AI on May 13, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 03:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Unsanitized ODBC Data Source Test in Claris FileMaker Cloud

Wed, 13 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 23:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Unsanitized ODBC Data Source Test in Claris FileMaker Cloud
Weaknesses CWE-78

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature. This issue is fixed in FileMaker Cloud 2.22.0.5.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-13T00:17:22.242Z

Reserved: 2026-05-01T22:46:21.642Z

Link: CVE-2026-43685

cve-icon Vulnrichment

Updated: 2026-05-13T00:17:03.231Z

cve-icon NVD

Status : Received

Published: 2026-05-12T23:16:17.973

Modified: 2026-05-12T23:16:17.973

Link: CVE-2026-43685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T03:00:12Z

Weaknesses