Description
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as JSON. The controller method `QueryController::execute()` does not enforce an authorization gate, unlike `store()` and `massDestroy()` in the same controller which are correctly protected. As a result, any authenticated account — including the read-only Auditor role — can query models beyond its intended scope, including the `User` model. Additionally, the `password` column, although declared `$hidden`, is not excluded from filter predicates, which allows it to be used in `LIKE` conditions. The `schema()` and `schemaModel()` endpoints of the same controller are similarly unguarded. The Query Engine is read-only; integrity and availability are not affected. Version 2025.05.19 patches the issue.
Published: 2026-06-19
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mercator’s Query Engine endpoint allows an authenticated user to submit arbitrary JSON DSL queries that are translated into Eloquent queries and returned as JSON. The execute method lacks an authorization gate, permitting any authenticated account—such as read‑only auditors—to query models beyond their intended scope, including the User model. Because the password column is not excluded from filter predicates, it can be referenced in LIKE conditions and returned in responses, exposing protected credentials. The controller methods that expose schema information are similarly unguarded. The Query Engine is read‑only, so integrity and availability are not affected, but the vulnerability enables legitimate users to access sensitive user credentials and other protected data, constituting a significant breach of confidentiality.

Affected Systems

The vulnerable application is the open‑source Mercator platform from sourcentis, versions earlier than 2025.05.19. Any authenticated user, even those with read‑only permissions, can exploit the unprotected Query Engine endpoint to enumerate or retrieve data from any model, especially the User model.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1, representing high severity information‑disclosure risk, and its EPSS score is not available. It is not listed in CISA’s KEV catalog. Exploitation requires only authentication; an attacker with valid credentials can invoke the read‑only Query Engine without elevated privileges. While system integrity and availability remain intact, the flaw can expose sensitive credentials and private user information, making it a high‑priority issue for environments managing protected data.

Generated by OpenCVE AI on June 19, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Mercator 2025.05.19 or later, which adds authorization checks and excludes sensitive columns from query results.
  • Restrict access to the /admin/queries/execute, /admin/schema, and /admin/schemaModel endpoints for non‑admin users using application‑layer or firewall rules.
  • Monitor authentication and query logs for abnormal use of the Query Engine or schema endpoints, and investigate promptly.

Generated by OpenCVE AI on June 19, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Sourcentis
Sourcentis mercator
Vendors & Products Sourcentis
Sourcentis mercator

Fri, 19 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as JSON. The controller method `QueryController::execute()` does not enforce an authorization gate, unlike `store()` and `massDestroy()` in the same controller which are correctly protected. As a result, any authenticated account — including the read-only Auditor role — can query models beyond its intended scope, including the `User` model. Additionally, the `password` column, although declared `$hidden`, is not excluded from filter predicates, which allows it to be used in `LIKE` conditions. The `schema()` and `schemaModel()` endpoints of the same controller are similarly unguarded. The Query Engine is read-only; integrity and availability are not affected. Version 2025.05.19 patches the issue.
Title Mercator has a Personal Identifiable Information Leak from Query Executor feature
Weaknesses CWE-359
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Sourcentis Mercator
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T19:22:33.640Z

Reserved: 2026-05-29T14:35:45.903Z

Link: CVE-2026-49344

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T22:15:03Z

Weaknesses
  • CWE-359

    Exposure of Private Personal Information to an Unauthorized Actor