CVE-2026-8054 - Vulnerability Details

- Unauthenticated SQL Injection in dotCMS Publish Audit API

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.

Published: 2026-05-27

Score: 10 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An unauthenticated SQL Injection flaw exists in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) of dotCMS Core. Unsanitized user input is directly incorporated into dynamically constructed SQL statements, enabling attackers to read, modify, or delete arbitrary database records. This weakness falls under CWE‑89 and can lead to data loss, tampering, and potential escalation of privileges if the database contains application logic or stored procedures that execute with higher privileges.

Affected Systems

The vulnerability affects dotCMS Core versions 25.11.04‑1 through 26.04.28‑02. Versions after 26.04.28‑02, including LTS releases, are not impacted because the offending code path was never backported.

Risk and Exploitability

The CVSS score of 10 indicates high severity. EPSS data is not available, but the lack of authentication on the API surface delivers a clear, network‑based attack vector, making exploitation straightforward for an outside attacker. The vulnerability is not listed in the CISA KEV catalog. The fix requires upgrading to dotCMS Core 26.04.28‑03 or later, which enforces authentication and publication‑queue permissions before processing requests.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

dotCMS

dotCMS Core

unaffected

Version	Status	Constraints
`25.11.04-1`	affected	≤ 26.04.28-02
`26.04.28-03`	unaffected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to dotCMS Core 26.04.28‑03 or later, which requires authenticated backend users with the publishing‑queue portlet permission to access the affected endpoints.
Ensure that only authenticated users with the publishing‑queue permission can invoke the /api/auditPublishing endpoints by checking user roles and permissions before processing requests.
If an immediate upgrade is not possible, block external access to the /api/auditPublishing endpoints at the network or application firewall level to prevent unauthenticated exploitation.

Generated by OpenCVE AI on May 27, 2026 at 11:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00384.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75
https://github.com/dotCMS/core/pull/35553

History

Wed, 27 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 27 May 2026 09:00:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.
Title		Unauthenticated SQL Injection in dotCMS Publish Audit API
Weaknesses		CWE-89
References		https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75 https://github.com/dotCMS/core/pull/35553
Metrics		cvssV4_0 `{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: dotCMS

Published: 2026-05-27T07:55:25.905Z

Updated: 2026-05-27T13:40:13.159Z

Reserved: 2026-05-06T19:20:23.237Z

Link: CVE-2026-8054

Vulnrichment

Updated: 2026-05-27T13:40:09.444Z

NVD

Status : Received

Published: 2026-05-27T09:16:32.630

Modified: 2026-05-27T09:16:32.630

Link: CVE-2026-8054

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T11:15:20Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object