CVE-2026-8851: SOGo SQL Injection Exposes Database Data

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-89
CVE-2026-8851: SOGo SQL Injection Exposes Database Data

The National Vulnerability Database (NVD) has detailed CVE-2026-8851, a high-severity SQL injection vulnerability impacting SOGo 5.12.7. This flaw resides within the Access Control List (ACL) management functionality. Authenticated users can exploit this by injecting SQL subqueries via the uid parameter in the addUserInAcls endpoint.

Attackers can leverage this vulnerability to extract arbitrary data from the database. Critically, the NVD notes that malicious SQL code can be injected to write this extracted data into the sogo_acl table. This establishes an out-of-band data exfiltration channel, allowing attackers to retrieve the stolen information through the /acls API. The CVSSv3.1 score is 8.1 (HIGH), signaling significant risk due to high confidentiality and integrity impacts without requiring complex attack conditions.

This isn’t just a data leak; it’s a controlled data exfiltration mechanism. An attacker who gains authenticated access — perhaps through stolen credentials or another initial compromise — can systematically siphon off sensitive information, effectively bypassing standard monitoring if not specifically looking for these API calls. Defenders need to recognize the dual threat here: initial database compromise and then the stealthy exfiltration channel.

What This Means For You

  • If your organization uses SOGo 5.12.7, you are directly exposed to this high-severity SQL injection. Immediately identify all SOGo instances in your environment and prioritize patching to a fixed version. Beyond patching, review your SOGo access logs for any anomalous activity related to ACL management or `/acls` API calls, especially from authenticated users, as this could indicate active exploitation or reconnaissance.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 SQL Execution T1048.003 Exfiltration Over Alternative Protocol Exfiltration

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-8851: SOGo ACL SQL Injection via uid parameter

Sigma YAML — free preview 
title: CVE-2026-8851: SOGo ACL SQL Injection via uid parameter
id: scw-2026-05-18-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-8851 by looking for POST requests to SOGo's /SOGo/dav/ endpoint with a 'uid' parameter containing SQL injection patterns like SELECT, FROM, UNION, and targeting the 'sogo_acl' table. This indicates an attempt to extract data via the ACL management functionality.
author: SCW Feed Engine (AI-generated)
date: 2026-05-18
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-8851/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/SOGo/dav/'
      cs-uri-query|contains:
          - 'uid=' 
      cs-uri-query|contains:
          - 'SELECT'
      cs-uri-query|contains:
          - 'FROM'
      cs-uri-query|contains:
          - 'UNION'
      cs-uri-query|contains:
          - 'sogo_acl'
      cs-method|exact:
          - 'POST'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-8851 SQLi SOGo 5.12.7
CVE-2026-8851 SQLi Access Control List management functionality
CVE-2026-8851 SQLi addUserInAcls endpoint via uid parameter
CVE-2026-8851 Information Disclosure Data exfiltration via sogo_acl table and /acls API

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma