Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27470

CVE-2026-27470: ZoneMinder Second-Order SQLi Vulnerability

CVE-2026-27470 is a second-order SQL injection flaw in ZoneMinder that allows authenticated users to execute arbitrary SQL queries. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-27470 Overview

ZoneMinder, a widely-used free and open source closed-circuit television (CCTV) software application, contains a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. While Event field values (specifically Name and Cause) are stored safely using parameterized queries, they are later retrieved and concatenated directly into SQL WHERE clauses without proper escaping. An authenticated user with Events edit and view permissions can exploit this vulnerability to execute arbitrary SQL queries against the underlying database.

Critical Impact

Authenticated attackers can execute arbitrary SQL queries, potentially leading to unauthorized data access, data manipulation, or complete database compromise in ZoneMinder surveillance systems.

Affected Products

  • ZoneMinder versions 1.36.37 and below
  • ZoneMinder versions 1.37.61 through 1.38.0

Discovery Timeline

  • 2026-02-21 - CVE-2026-27470 published to NVD
  • 2026-02-24 - Last updated in NVD database

Technical Details for CVE-2026-27470

Vulnerability Analysis

This vulnerability is classified as a second-order SQL injection (CWE-89), a sophisticated variant of traditional SQL injection attacks. Unlike first-order SQL injection where malicious input is immediately executed, second-order SQL injection involves storing malicious payloads that are later retrieved and executed in a different context.

In ZoneMinder's implementation, the getNearEvents() function in web/ajax/status.php retrieves previously stored Event field data (specifically the Name and Cause fields) and concatenates these values directly into SQL WHERE clauses. Although the initial data storage uses parameterized queries—following secure coding practices—the subsequent retrieval and usage of this data fails to apply proper escaping or parameterization.

This design flaw means an attacker can inject malicious SQL payloads into Event names or causes during the initial storage phase. When these values are later retrieved and used in the vulnerable function, the SQL injection payload executes within the database context, potentially allowing complete database access or manipulation.

Root Cause

The root cause of this vulnerability is the inconsistent application of input sanitization practices. While ZoneMinder correctly uses parameterized queries when storing Event data, the getNearEvents() function assumes that data retrieved from the database is inherently safe. This false assumption leads to direct string concatenation of user-influenced values into SQL queries without proper escaping, enabling second-order SQL injection.

Attack Vector

The attack is network-accessible and requires low privilege authentication. An attacker must have an account with Events edit and view permissions within the ZoneMinder application. The exploitation workflow involves:

  1. An authenticated attacker creates or modifies an Event, injecting SQL payloads into the Name or Cause fields
  2. The malicious payload is stored safely using parameterized queries
  3. When the getNearEvents() function in web/ajax/status.php is invoked, it retrieves the stored Event data
  4. The function concatenates the malicious payload directly into a SQL WHERE clause without escaping
  5. The injected SQL code executes with the database privileges of the ZoneMinder application

This attack pattern allows for data exfiltration, privilege escalation within the database, or modification of surveillance data. For more information on SQL injection attacks, see the OWASP SQL Injection Overview.

Detection Methods for CVE-2026-27470

Indicators of Compromise

  • Unusual or malformed Event names or causes containing SQL syntax (e.g., single quotes, UNION SELECT statements, or comment sequences like -- or /*)
  • Unexpected database queries or errors in ZoneMinder application logs
  • Evidence of data exfiltration or unauthorized database access in database audit logs
  • Abnormal activity patterns from authenticated users with Event edit permissions

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in HTTP requests targeting ZoneMinder endpoints
  • Monitor database query logs for anomalous query patterns, particularly those involving the Events table and the getNearEvents() function
  • Deploy behavioral analysis to identify users making suspicious modifications to Event names or causes
  • Enable detailed application logging for web/ajax/status.php and review for signs of exploitation attempts

Monitoring Recommendations

  • Configure alerting for database errors that may indicate failed SQL injection attempts
  • Implement real-time monitoring of ZoneMinder user activity, focusing on Event modification operations
  • Establish baseline behavior patterns for authenticated users to identify anomalous activity
  • Review ZoneMinder access logs regularly for unusual access patterns to the status.php endpoint

How to Mitigate CVE-2026-27470

Immediate Actions Required

  • Upgrade ZoneMinder to version 1.36.38 or later for the 1.36.x branch
  • Upgrade ZoneMinder to version 1.38.1 or later for the 1.37.x/1.38.x branch
  • Review Event data for suspicious or malformed entries that may contain SQL injection payloads
  • Restrict Event edit and view permissions to only trusted users until patching is complete

Patch Information

ZoneMinder has released security patches addressing this vulnerability. Users should upgrade to the following fixed versions:

For detailed information about this vulnerability, refer to the GitHub Security Advisory GHSA-r6gm-478g-f2c4.

Workarounds

  • Implement network-level access controls to restrict access to ZoneMinder's web interface to trusted networks only
  • Revoke Event edit permissions from non-essential users until the patch can be applied
  • Deploy a Web Application Firewall (WAF) with SQL injection detection rules as an additional defense layer
  • Consider temporarily disabling the affected status.php functionality if not critical to operations
bash
# Example: Restrict ZoneMinder access at the web server level (Apache)
# Add to ZoneMinder's Apache configuration
<Directory /usr/share/zoneminder/www>
    Require ip 192.168.1.0/24
    # Restrict to trusted internal network
</Directory>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.