CVE-2026-44349 - Vulnerability Details

- Daptin fuzzy search injects unvalidated column name into raw SQL

Description

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resource_findallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.L(fmt.Sprintf("LOWER(%s) LIKE ?", prefix+col)) raw SQL with no column whitelist check. The entry point is GET /api/<entity> with operator=fuzzy (or fuzzy_any, fuzzy_all). Any authenticated user — including one who self-registered with no admin involvement — can read the entire database. This issue has been patched in version 0.11.5.

Published: 2026-05-07

Score: 7.1 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Daptin’s fuzzy search feature performed an unchecked split of a user‑supplied column name and concatenated each part directly into a raw SQL statement. This allowed an attacker to inject arbitrary column references, resulting in full database visibility for anyone who could authenticate to the system. The vulnerability is a classic SQL injection (CWE‑89), with a moderate‑to‑high impact due to the ability to exfiltrate all database contents.

Affected Systems

The flaw exists in Daptin’s headless CMS, affecting all releases prior to version 0.11.5. Users of any entity type when calling the GET /api/<entity> endpoint with operator parameters such as fuzzy, fuzzy_any, or fuzzy_all are susceptible.

Risk and Exploitability

The CVSS base score of 7.1 denotes significant severity. Attackers must first authenticate, which is typically low effort via self‑registration, and then invoke the vulnerable operator. There is no external exploit required, and the issue is not listed in the CISA KEV catalog. Because the attack vector is a simple authenticated HTTP request, the risk of exploitation in actively maintained installations is moderate, warranting prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

daptin

affected

Version	Status	Constraints
`< 0.11.5`	affected	—

No data.

Vendor Product Confidence Versions

Daptin

100%

Version	Status	Scheme	Platform
`[0,0.11.5)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Daptin to version 0.11.5 or later, where the unchecked columns are removed from the raw SQL statement.
Restrict the fuzzy search operator to privileged users or temporarily disable it via application configuration until the patch can be applied.
Implement server‑side validation to whitelist acceptable column names before constructing any SQL query, ensuring no user input can influence the query schema.

Generated by OpenCVE AI on May 7, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-pwqg-q8pg-pp6r	Daptin fuzzy search injects unvalidated column name into raw SQL

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/daptin/daptin/releases/tag/v0.11.5
https://github.com/daptin/daptin/security/advisories/GHSA-pwqg-q8pg-pp6r

History

Thu, 07 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Daptin Daptin daptin
Vendors & Products		Daptin Daptin daptin

Thu, 07 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resource_findallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.L(fmt.Sprintf("LOWER(%s) LIKE ?", prefix+col)) raw SQL with no column whitelist check. The entry point is GET /api/<entity> with operator=fuzzy (or fuzzy_any, fuzzy_all). Any authenticated user — including one who self-registered with no admin involvement — can read the entire database. This issue has been patched in version 0.11.5.
Title		Daptin fuzzy search injects unvalidated column name into raw SQL
Weaknesses		CWE-89
References		https://github.com/daptin/daptin/releases/tag/v0.11.5 https://github.com/daptin/daptin/security/advisories/GHSA-pwqg-q8pg-pp6r
Metrics		cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Daptin Daptin

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-07T13:57:10.113Z

Updated: 2026-05-07T13:57:10.113Z

Reserved: 2026-05-05T19:52:59.148Z

Link: CVE-2026-44349

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-07T15:16:10.903

Modified: 2026-05-07T15:47:46.853

Link: CVE-2026-44349

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T15:30:06Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object