CVE-2026-1476 Overview
CVE-2026-1476 is an out-of-band SQL injection (OOB SQLi) vulnerability in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación (Quatuor). The flaw resides in the Id_usuario parameter of the /evaluacion_acciones_ver_auto.aspx endpoint. Unauthenticated remote attackers can exploit the parameter to exfiltrate database contents through external channels even when the application does not return query results in HTTP responses. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Unauthenticated attackers can extract sensitive data from the backend database over out-of-band channels, compromising the confidentiality of stored records without leaving direct response evidence.
Affected Products
- Quatuor Evaluación de Desempeño (EDD) - all versions per cpe:2.3:a:quatuor:evaluacion_de_desempeno:-
- /evaluacion_acciones_ver_auto.aspx endpoint
- Deployments developed by Gabinete Técnico de Programación
Discovery Timeline
- 2026-01-27 - CVE-2026-1476 published to the National Vulnerability Database (NVD)
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2026-1476
Vulnerability Analysis
The vulnerability is a server-side SQL injection in an ASP.NET application. The Id_usuario request parameter passed to /evaluacion_acciones_ver_auto.aspx is concatenated into a backend SQL query without proper sanitization or parameterization. Attackers reach the vulnerable code path without authentication and without user interaction.
Because the application does not return query results inline, exploitation relies on out-of-band data exfiltration techniques. Attackers trigger DNS or HTTP callbacks from the database server, encoding the results of injected subqueries into hostnames or URLs they control. This pattern is common against Microsoft SQL Server backends using functions such as xp_dirtree, xp_fileexist, or OPENROWSET against attacker-controlled UNC paths.
Root Cause
The root cause is improper neutralization of user-supplied input in the Id_usuario parameter. Input is concatenated directly into a SQL statement rather than handled through parameterized queries or stored procedures with strict typing. The absence of input validation, type coercion, and use of an over-privileged database account compounds the impact.
Attack Vector
The attack vector is network-based. An attacker crafts a malicious HTTP request to /evaluacion_acciones_ver_auto.aspx, injecting SQL syntax into the Id_usuario parameter that forces the database server to issue an outbound network request to attacker infrastructure. Each request encodes a fragment of extracted data, allowing iterative exfiltration of tables and columns containing employee evaluation records, credentials, or other sensitive information.
No verified public proof-of-concept code is available. Refer to the INCIBE CERT Security Notice for vendor-coordinated disclosure details.
Detection Methods for CVE-2026-1476
Indicators of Compromise
- Outbound DNS queries from the database server to unfamiliar external domains, particularly with long, base32 or hex-encoded subdomain labels.
- Outbound SMB or HTTP traffic from the SQL Server host to internet-facing IP addresses.
- IIS logs showing requests to /evaluacion_acciones_ver_auto.aspx with unusual characters (', ;, --, WAITFOR, EXEC) in the Id_usuario parameter.
Detection Strategies
- Inspect web server logs for anomalous values, encoded payloads, or excessive length in the Id_usuario query string parameter.
- Deploy WAF rules that flag SQL keywords and out-of-band functions (xp_dirtree, xp_cmdshell, OPENROWSET, UNC paths) targeting the EDD endpoint.
- Correlate spikes in DNS lookups originating from database hosts with concurrent HTTP requests to the EDD application.
Monitoring Recommendations
- Enable SQL Server auditing to log execution of extended stored procedures and outbound resolution functions.
- Forward IIS, DNS, and firewall egress logs to a centralized analytics platform for correlation across web, database, and network tiers.
- Alert on any egress traffic from database servers that should normally have no direct internet access.
How to Mitigate CVE-2026-1476
Immediate Actions Required
- Restrict access to /evaluacion_acciones_ver_auto.aspx via network ACLs or VPN until a patched version is deployed.
- Block outbound DNS, HTTP, and SMB egress from the database server to untrusted destinations.
- Rotate database credentials and review audit logs for prior exfiltration activity.
Patch Information
No vendor patch URL has been published in the enriched CVE data at the time of writing. Customers should contact Quatuor (Gabinete Técnico de Programación) directly and monitor the INCIBE CERT Security Notice for updated remediation guidance.
Workarounds
- Place a web application firewall in front of the EDD application with rules that reject non-numeric input in the Id_usuario parameter.
- Run the application's database account with least privilege, removing rights to execute xp_dirtree, xp_cmdshell, and OPENROWSET.
- Disable outbound network access from the SQL Server host to break the out-of-band exfiltration channel.
# Example egress restriction on the database host (Windows firewall)
netsh advfirewall firewall add rule name="Block DB Egress DNS" dir=out action=block protocol=UDP remoteport=53 remoteip=any
netsh advfirewall firewall add rule name="Block DB Egress SMB" dir=out action=block protocol=TCP remoteport=445 remoteip=any
netsh advfirewall firewall add rule name="Block DB Egress HTTP" dir=out action=block protocol=TCP remoteport=80,443 remoteip=any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
