Description
Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the /harvesterRegistration endpoint. HarvesterRegistration.dbInsert() builds an INSERT against HARVEST_SITE_SCHEDULE via string concatenation, using a quoteString() helper that performs raw single-quote wrapping without escaping. Three request parameters reach the sink: unit, contactEmail, and documentListURL. The servlet does not verify a real LDAP identity. Allowing the vulnerable insert to proceed. Since the PostgreSQL backend permits stacked queries via Statement.executeUpdate(), this vulnerability allows full read/write/execute access in the Metacat database context. The vulnerability was remediated in Metacat 3.0.0.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated SQL injection exists in Metacat’s /harvesterRegistration endpoint; input is concatenated into an INSERT statement without escaping, allowing attackers to inject arbitrary SQL. Because PostgreSQL permits stacked queries, the flaw provides full read, write, and execution rights within the Metacat database context. The vulnerability combines authentication bypass (CWE‑287) and classic SQL injection (CWE‑89).

Affected Systems

The vulnerable product is NCEAS Metacat. Versions 2.0.0 and later are affected until the issue was remediated in Metacat 3.0.0.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity. The EPSS score is less than 1 %, suggesting a low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, and the CVE description does not address known public exploits, so it is unclear whether such exploits exist. Based on the description, the likely attack vector is the open /harvesterRegistration endpoint reachable by any client; an attacker who can send HTTP requests to this endpoint can craft parameters that inject SQL, leading to full read, write, and execution rights within the Metacat database context.

Generated by OpenCVE AI on June 18, 2026 at 07:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Metacat to version 3.0.0 or later to eliminate the vulnerability.
  • Restrict or disable the /harvesterRegistration endpoint to trusted IP ranges if it is required.
  • Implement input validation and use parameterized queries for all database interactions to prevent similar issues in future.

Generated by OpenCVE AI on June 18, 2026 at 07:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Nceas
Nceas metacat
Vendors & Products Nceas
Nceas metacat

Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the /harvesterRegistration endpoint. HarvesterRegistration.dbInsert() builds an INSERT against HARVEST_SITE_SCHEDULE via string concatenation, using a quoteString() helper that performs raw single-quote wrapping without escaping. Three request parameters reach the sink: unit, contactEmail, and documentListURL. The servlet does not verify a real LDAP identity. Allowing the vulnerable insert to proceed. Since the PostgreSQL backend permits stacked queries via Statement.executeUpdate(), this vulnerability allows full read/write/execute access in the Metacat database context. The vulnerability was remediated in Metacat 3.0.0.
Title Metacat has an unauthenticated SQL injection vulnerability
Weaknesses CWE-287
CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-15T22:07:41.397Z

Reserved: 2026-05-20T18:46:58.289Z

Link: CVE-2026-48114

cve-icon Vulnrichment

Updated: 2026-06-15T22:07:36.486Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:28.957

Modified: 2026-06-16T15:50:58.757

Link: CVE-2026-48114

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:08:14Z

Weaknesses
  • CWE-287

    Improper Authentication

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')