Executive Summary
CVE-2026-33615 is a critical unauthenticated SQL injection vulnerability affecting a product's setinfo endpoint. The flaw allows a remote, unauthenticated attacker to manipulate a SQL UPDATE command through improper neutralization of special elements, resulting in a total loss of integrity and availability.
CVSS Score: 9.1 (Critical)
No authentication is required to exploit this vulnerability. Attackers who can reach the affected endpoint over the network can immediately abuse the injection to corrupt or destroy stored data.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-33615 |
| CVSS Score | 9.1 (Critical) |
| Type | SQL Injection (CWE-89) |
| Attack Vector | Network |
| Privileges Required | None (Unauthenticated) |
| User Interaction | None |
| Endpoint | /setinfo (SQL UPDATE context) |
| Impact | Total integrity & availability loss |
Technical Details
The vulnerability exists in the setinfo endpoint, which constructs a SQL UPDATE query without properly sanitizing or parameterizing user-supplied input. An attacker can inject arbitrary SQL syntax into the query, enabling them to:
- Overwrite arbitrary data in any accessible table
- Truncate or drop database tables, causing complete availability loss
- Exfiltrate data via error-based or time-based blind injection techniques
- Bypass access controls enforced at the application layer by directly manipulating backend records
Vulnerable query pattern (simplified):
UPDATE table SET field = '<USER_INPUT>'
^--- injection point
Attack payload example:
value'; UPDATE users SET password='attacker' WHERE '1'='1
Because the endpoint requires no authentication, exploitation requires only network access to the target service — making internet-exposed instances trivially compromisable.
Impact Assessment
| Impact Category | Severity |
|---|---|
| Data Integrity | Critical — arbitrary record modification |
| Availability | Critical — data deletion/corruption possible |
| Confidentiality | High — data exfiltration via blind SQLi |
| Authentication Required | None |
| Complexity | Low — straightforward injection |
The CVSS base score of 9.1 reflects the combination of no authentication requirement, network-accessible attack vector, and the potential for complete data loss.
Affected Versions
Refer to the official vendor advisory for a complete list of affected product versions. The vulnerability was published to the NVD on 2026-04-02.
Remediation
Immediate Steps
- Apply vendor patch as soon as it becomes available — check the vendor's security advisory
- Restrict network access to the
setinfoendpoint — firewall or ACL rules should block untrusted sources from reaching the endpoint - Deploy a WAF rule to block SQL injection patterns targeting the affected endpoint
- Audit database logs for suspicious UPDATE activity that may indicate prior exploitation
If No Patch Is Available
MITIGATIONS:
- Block external access to the setinfo endpoint at the network perimeter
- Enable database activity monitoring to alert on unexpected UPDATE statements
- Implement input validation at the reverse proxy layer (WAF)
- Rotate all database credentials as a precaution if the endpoint was exposedDetection Indicators
| Indicator | Description |
|---|---|
| Anomalous SQL UPDATE statements | Payloads containing quotes, semicolons, or SQL keywords |
Unexpected POST requests to /setinfo | High-volume or malformed requests |
| Database table modifications | Unexpected changes to records outside normal application flow |
| Application errors | SQL syntax errors logged after abnormal input |