CVE-2026-27634 Overview
CVE-2026-27634 is a SQL Injection vulnerability affecting Piwigo, an open source photo gallery application for the web. Prior to version 16.3.0, four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in the ws_std_image_sql_filter() function are concatenated directly into SQL queries without any escaping or type validation. This critical flaw allows unauthenticated attackers to execute arbitrary SQL commands and potentially extract sensitive data from the database.
Critical Impact
Unauthenticated attackers can exploit this SQL Injection vulnerability to read the entire database, including user password hashes, potentially leading to full account compromise and data breach.
Affected Products
- Piwigo versions prior to 16.3.0
- All installations using the vulnerable ws_std_image_sql_filter() function
- Self-hosted Piwigo photo gallery deployments
Discovery Timeline
- April 3, 2026 - CVE-2026-27634 published to NVD
- April 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-27634
Vulnerability Analysis
This SQL Injection vulnerability exists in the ws_std_image_sql_filter() function within Piwigo's web services layer. The function processes date filter parameters that are intended to filter image queries by availability and creation dates. However, the implementation directly concatenates user-supplied values into SQL statements without proper sanitization, parameterization, or type validation. Since this functionality is accessible without authentication, any remote attacker can craft malicious requests to inject arbitrary SQL code.
The vulnerability is particularly severe because it enables complete database extraction. An attacker could retrieve user credentials, including password hashes, which could then be cracked offline or used in credential stuffing attacks against other services.
Root Cause
The root cause of CVE-2026-27634 is improper input validation and the lack of prepared statements or parameterized queries when handling date filter parameters. The ws_std_image_sql_filter() function accepts four date parameters and concatenates them directly into SQL queries without verifying that the input conforms to expected datetime formats. This classic SQL Injection pattern violates secure coding principles that mandate treating all user input as untrusted.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can send crafted HTTP requests to the Piwigo web services API, injecting SQL code through any of the four vulnerable date filter parameters. The injected SQL executes with the privileges of the database user configured for Piwigo, allowing data extraction operations.
// Vulnerable code pattern - date parameters concatenated without validation
// The fix adds proper datetime validation before parameters reach SQL queries
// Security patch in include/ws_functions.inc.php
foreach (array('f_min_date_available', 'f_max_date_available', 'f_min_date_created', 'f_max_date_created') as $datefield)
{
if (isset($params[$datefield]) and !is_valid_mysql_datetime($params[$datefield]))
{
global $service;
$service->sendResponse(new PwgError(WS_ERR_INVALID_PARAM, 'Invalid '.$datefield));
exit;
}
}
$clauses = array();
if ( is_numeric($params['f_min_rate']) )
{
Source: GitHub Commit Update
Detection Methods for CVE-2026-27634
Indicators of Compromise
- Unusual database queries in MySQL/MariaDB logs containing SQL syntax in date parameter fields
- Web server access logs showing requests to Piwigo API endpoints with malformed date parameters containing SQL keywords (SELECT, UNION, OR, AND)
- Unexpected database read operations or large data transfers from the database server
- Error messages in application logs indicating SQL syntax errors from malformed injection attempts
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL Injection patterns in API requests targeting Piwigo date filter parameters
- Monitor database query logs for anomalous patterns such as UNION-based queries or time-based blind injection techniques
- Deploy intrusion detection systems (IDS) with signatures for common SQL Injection payloads
- Review web server logs for requests to /ws.php endpoints containing suspicious characters or SQL keywords in query parameters
Monitoring Recommendations
- Enable detailed logging on database servers to capture all queries executed against the Piwigo database
- Set up alerts for failed SQL queries that may indicate injection probing attempts
- Monitor network traffic for unusual data exfiltration patterns from the database server
- Implement real-time log analysis to detect patterns consistent with automated SQL Injection tools
How to Mitigate CVE-2026-27634
Immediate Actions Required
- Upgrade Piwigo to version 16.3.0 or later immediately
- If immediate upgrade is not possible, restrict access to Piwigo API endpoints at the network or web server level
- Review database logs for evidence of prior exploitation
- Consider rotating all user credentials if compromise is suspected
- Implement WAF rules to block SQL Injection attempts as a temporary measure
Patch Information
Piwigo has addressed this vulnerability in version 16.3.0. The patch introduces the is_valid_mysql_datetime() function that validates date parameters against expected MySQL datetime formats (YYYY-MM-DD HH:MM:SS or YYYY-MM-DD) before they are used in SQL queries. The fix ensures that only properly formatted datetime strings can pass through to the database layer.
For detailed patch information, refer to:
Workarounds
- Restrict network access to Piwigo API endpoints using firewall rules or web server configuration
- Implement a reverse proxy with SQL Injection filtering capabilities in front of Piwigo
- Disable public API access if not required for your deployment
- Use database firewall solutions to block queries containing injection patterns
# Example: Restrict access to Piwigo API at nginx level
# Add to your Piwigo server block configuration
location ~ /ws\.php {
# Allow only trusted IP addresses until patched
allow 192.168.1.0/24;
deny all;
# Or block requests with suspicious date parameters
if ($query_string ~* "(union|select|insert|update|delete|drop|;|--|')") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
