Description
The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or input validation. A remote, authenticated attacker holding the tokens/update permission on a survey can inject a crafted array element to perform SQL injection. Because LimeSurvey configures its PDO connection with emulated prepared statements (emulatePrepare = true) and does not disable MySQL multi-statements, the injection supports stacked queries: the attacker can append arbitrary additional statements (INSERT/UPDATE/DELETE/DROP/CREATE) after the original SELECT. This permits both arbitrary read of any data in the database, such as administrator bcrypt password hashes (lime_users), survey response PII, session records, and global settings, all recoverable via a SLEEP() time-based blind oracle, and arbitrary write/destruction of that data, including directly overwriting the administrator password hash for immediate account takeover or dropping/truncating tables. Reads and writes extend to any schema the application's database user can access. The RemoteControl interface (RPCInterface = json/xml) must be enabled, which is not the default.
Published: 2026-06-09
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the RemoteControl API methods invite_participants and remind_participants of LimeSurvey. A caller supplied array of token IDs is concatenated directly into an SQL clause without parameterization or validation. This enables a remote authenticated attacker with tokens/update permission on a survey to inject SQL. Because the PDO connection uses emulated prepared statements and multi-statements are permitted, the attacker can append arbitrary SQL statements, allowing both data exfiltration and destructive writes. The attacker can read any database table accessible to the application user, including administrator password hashes, PII from survey responses, and session data, and can overwrite the administrator password hash to take over the account or delete/modify critical database objects.

Affected Systems

Vendors affected: LimeSurvey. Product: LimeSurvey. No specific version or product release information is provided in the CVE data, so all installed instances of LimeSurvey are potentially impacted until a patch is applied.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. The EPSS score is not available, so the current exploitation probability is unknown, but the lack of a KEV listing suggests no known widespread exploitation yet. The likely attack vector is remote, authenticated access with the appropriate permission on a survey and the RemoteControl API enabled (which is not the default). Because the flaw leverages unparameterized SQL and allows stacked queries, a determined attacker can achieve significant data breach and account takeover with modest access to the application. Therefore, the risk remains high for organizations running an exposed RemoteControl interface without additional safeguards.

Generated by OpenCVE AI on June 9, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest LimeSurvey release that contains a fix for the RemoteControl token injection vulnerability
  • If a patch is not yet available or cannot be applied immediately, disable the RemoteControl API (RPCInterface = json/xml) to block the attack surface
  • Restrict or remove tokens/update permissions from users who do not need them, and enforce strict input validation or parameterized queries when handling token identifiers

Generated by OpenCVE AI on June 9, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or input validation. A remote, authenticated attacker holding the tokens/update permission on a survey can inject a crafted array element to perform SQL injection. Because LimeSurvey configures its PDO connection with emulated prepared statements (emulatePrepare = true) and does not disable MySQL multi-statements, the injection supports stacked queries: the attacker can append arbitrary additional statements (INSERT/UPDATE/DELETE/DROP/CREATE) after the original SELECT. This permits both arbitrary read of any data in the database, such as administrator bcrypt password hashes (lime_users), survey response PII, session records, and global settings, all recoverable via a SLEEP() time-based blind oracle, and arbitrary write/destruction of that data, including directly overwriting the administrator password hash for immediate account takeover or dropping/truncating tables. Reads and writes extend to any schema the application's database user can access. The RemoteControl interface (RPCInterface = json/xml) must be enabled, which is not the default.
Title LimeSurvey RemoteControl invite_participants/remind_participants SQL Injection
First Time appeared Limesurvey
Limesurvey limesurvey
Weaknesses CWE-89
CPEs cpe:2.3:a:limesurvey:limesurvey:*:*:*:*:*:*:*:*
Vendors & Products Limesurvey
Limesurvey limesurvey
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Limesurvey Limesurvey
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T18:58:22.756Z

Reserved: 2026-06-05T11:53:55.168Z

Link: CVE-2026-50636

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-09T18:17:10.620

Modified: 2026-06-09T19:36:10.547

Link: CVE-2026-50636

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T21:15:05Z

Weaknesses