CVE-2026-46446: SOGo SQL Injection Exposes Cleartext Passwords

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-89
CVE-2026-46446: SOGo SQL Injection Exposes Cleartext Passwords

The National Vulnerability Database has detailed CVE-2026-46446, a high-severity SQL injection vulnerability affecting SOGo before version 5.12.7. This flaw is present when SOGo utilizes PostgreSQL or MariaDB and is configured to store cleartext passwords. The vulnerability stems from improper handling of the c_password parameter in the changePasswordForLogin function, making it susceptible to malicious input.

A successful exploit of this SQL injection, rated with a CVSS score of 7.1 (High), could allow an authenticated attacker with low privileges to execute arbitrary SQL commands. Given the specific conditions—cleartext password storage and the use of PostgreSQL or MariaDB—the impact is significant. An attacker could potentially gain unauthorized access to sensitive user data, including other cleartext passwords, or manipulate the database contents. This isn’t just about password resets; it’s about potential full data exfiltration or integrity compromise.

Defenders must prioritize patching SOGo instances to version 5.12.7 or newer. Beyond patching, this vulnerability highlights a critical architectural flaw: storing cleartext passwords. Even if this specific SQLi is patched, any system still configured this way is a ticking time bomb. Organizations should immediately review their SOGo configurations and database practices to ensure passwords are never stored in cleartext. Hashed and salted passwords are the absolute minimum standard.

What This Means For You

  • If your organization uses SOGo with PostgreSQL or MariaDB, and especially if you're still storing cleartext passwords, you are critically exposed. This isn't a theoretical risk; it's a direct path for an attacker to compromise your user base. Patch to SOGo 5.12.7 immediately, and more importantly, audit your password storage practices. Cleartext passwords are an operational catastrophe waiting to happen.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component: Database Initial Access T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-46446: SOGo SQL Injection Attempt via c_password Parameter

Sigma YAML — free preview 
title: CVE-2026-46446: SOGo SQL Injection Attempt via c_password Parameter
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-46446 by looking for the specific SQL injection pattern 'c_password='%@'' within the URI query string targeting SOGo web applications. This vulnerability allows attackers to inject SQL commands, potentially leading to the exposure of cleartext passwords.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-46446/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
          - "c_password='%@'"
      cs-uri|contains:
          - "/SOGo/"
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-46446 SQLi SOGo before 5.12.7
CVE-2026-46446 SQLi Vulnerable when PostgreSQL or MariaDB is used
CVE-2026-46446 SQLi Vulnerable when cleartext passwords are stored
CVE-2026-46446 SQLi Related to c_password = '%@' in changePasswordForLogin

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 07:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8280 — GitLab CE/EE Affecting All Versions From 8.3 Before 18.9.7, Denial of Service

CVE-2026-8280 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-770
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-8181: WordPress Burst Statistics Plugin Critical Auth Bypass

CVE-2026-8181 — The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1....

vulnerabilityCVEcriticalhigh-severityprivilege-escalationcwe-287
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 3 IOCs /⚙ 6 Sigma

GitLab CVE-2026-7481: Developer XSS Vulnerability Patched

CVE-2026-7481 — GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that...

vulnerabilityCVEhigh-severitycwe-79
/SCW Vulnerability Desk /HIGH /8.7 /⚑ 4 IOCs /⚙ 3 Sigma