Description
A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature. This issue is fixed in FileMaker Cloud 2.22.0.5.
Published: 2026-05-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the External ODBC Data Source connection test feature of Claris FileMaker Cloud enables an administrator with access to the Admin Console to inject arbitrary operating system commands. By supplying unsanitized input, an attacker can execute any OS command on the underlying infrastructure, leading to complete compromise of confidentiality, integrity, and availability of the cloud instance.

Affected Systems

Claris FileMaker Cloud is affected by this vulnerability. The fix is available in version 2.22.0.5; all prior Cloud instances lacking this update are vulnerable. No specific earlier versions are listed, so any Cloud deployment before 2.22.0.5 is considered impacted.

Risk and Exploitability

The exploit requires Admin Console privileges, so it is limited to users with elevated access. The CVSS score is 7.2. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Remote code execution allows attackers full control over the host once they authenticate.

Generated by OpenCVE AI on May 13, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to FileMaker Cloud 2.22.0.5 or later.
  • Restrict Admin Console access to a minimal set of trusted users and enforce strong authentication.
  • If possible, disable or restrict the External ODBC Data Source connection test feature until a fix is applied.

Generated by OpenCVE AI on May 13, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:claris:filemaker_cloud:*:*:*:*:*:*:*:*

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Claris
Claris filemaker Cloud
Vendors & Products Claris
Claris filemaker Cloud

Wed, 13 May 2026 03:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Unsanitized ODBC Data Source Test in Claris FileMaker Cloud

Wed, 13 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 23:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Unsanitized ODBC Data Source Test in Claris FileMaker Cloud
Weaknesses CWE-78

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature. This issue is fixed in FileMaker Cloud 2.22.0.5.
References

Subscriptions

Claris Filemaker Cloud
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-13T00:17:22.242Z

Reserved: 2026-05-01T22:46:21.642Z

Link: CVE-2026-43685

cve-icon Vulnrichment

Updated: 2026-05-13T00:17:03.231Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T23:16:17.973

Modified: 2026-05-14T13:52:51.037

Link: CVE-2026-43685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:35:16Z

Weaknesses