CVE-2026-28226: Phishing Club SQL Injection Vulnerability

CVE-2026-28226 Overview

CVE-2026-28226 is an authenticated SQL injection vulnerability affecting Phishing Club, a phishing simulation and man-in-the-middle framework. The vulnerability exists in the GetOrphaned recipient listing endpoint in versions prior to v1.30.2. The endpoint constructs a raw SQL query and concatenates the user-controlled sortBy value directly into the ORDER BY clause without proper allowlist validation. Because unknown values are silently passed through the RemapOrderBy() function, an authenticated attacker can inject SQL expressions into the ORDER BY clause, potentially leading to unauthorized data extraction.

Critical Impact

Authenticated attackers can exploit this SQL injection vulnerability to extract sensitive data from the database by injecting malicious SQL expressions into the ORDER BY clause.

Affected Products

• Phishing Club versions prior to v1.30.2

Discovery Timeline

• 2026-02-26 - CVE CVE-2026-28226 published to NVD
• 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2026-28226

Vulnerability Analysis

This vulnerability is classified as CWE-89 (SQL Injection) and affects the recipient listing functionality within Phishing Club. The flaw resides in the GetOrphaned endpoint where user-supplied input is directly concatenated into SQL queries without proper sanitization. The vulnerable code path allows the sortBy parameter to flow through the RemapOrderBy() function, which was designed to map user-friendly column names to database column names. However, due to a logic flaw, unknown values that don't match any mapping entry are silently passed through unchanged, enabling blind SQL injection attacks.

The network-accessible endpoint requires authentication, meaning an attacker must first obtain valid credentials to exploit this vulnerability. Once authenticated, the attacker can manipulate the sorting parameter to inject arbitrary SQL expressions, enabling time-based or boolean-based blind SQL injection techniques to exfiltrate sensitive information from the database.

Root Cause

The root cause of this vulnerability lies in the incomplete input validation within the RemapOrderBy() function in backend/vo/queryParams.go. The function was intended to sanitize the ORDER BY parameter by mapping user input to predefined database column names. However, when the provided value did not match any entry in the mapping, the function failed to clear or reject the input, instead passing the malicious value directly to the SQL query construction logic. This design oversight allowed arbitrary SQL expressions to be injected into the ORDER BY clause.

Attack Vector

An authenticated attacker exploits this vulnerability by sending crafted HTTP requests to the GetOrphaned recipient listing endpoint with a malicious sortBy parameter. Since the application constructs SQL queries by concatenating the user-controlled value directly into the ORDER BY clause, attackers can inject SQL expressions such as CASE WHEN statements or subqueries to perform blind SQL injection. This enables data extraction through boolean-based or time-based techniques, where the attacker infers database contents by observing application responses or response timing.

The following patch demonstrates how the vulnerability was fixed by clearing unknown mappings:

// RemapOrderBy remaps the order by column using the provided mapping.
// if the column is not found in the mapping, it is cleared to prevent SQL injection.
func (q *QueryArgs) RemapOrderBy(m map[string]string) {
	if q.OrderBy == "" {
		return
	}
	if v, ok := m[q.OrderBy]; ok {
		q.OrderBy = v
	} else {
		q.OrderBy = ""
	}
}

Source: GitHub Commit Update

Detection Methods for CVE-2026-28226

Indicators of Compromise

• Unusual or malformed HTTP requests to the GetOrphaned recipient listing endpoint containing SQL keywords in the sortBy parameter
• Database query logs showing unexpected ORDER BY clauses with SQL expressions, subqueries, or CASE WHEN statements
• Increased response times on recipient listing requests indicating time-based SQL injection attempts
• Authentication logs showing repeated requests from the same user to the vulnerable endpoint with varying sort parameters

Detection Strategies

• Implement web application firewall (WAF) rules to detect SQL injection patterns in query parameters, specifically targeting ORDER BY injection techniques
• Monitor application logs for requests containing SQL keywords (SELECT, UNION, CASE, WHEN, SLEEP, BENCHMARK) in the sortBy parameter
• Deploy database activity monitoring to alert on unusual query patterns or unauthorized data access attempts
• Enable verbose logging on the Phishing Club application to capture all incoming request parameters for forensic analysis

Monitoring Recommendations

• Configure alerting for failed authentication attempts followed by successful logins with subsequent suspicious endpoint access patterns
• Establish baseline metrics for normal recipient listing endpoint response times and alert on significant deviations
• Review database audit logs regularly for queries with anomalous ORDER BY clauses
• Implement network-level monitoring for data exfiltration attempts following exploitation

How to Mitigate CVE-2026-28226

Immediate Actions Required

• Upgrade Phishing Club to version v1.30.2 or later immediately to address this SQL injection vulnerability
• Review application and database logs for evidence of exploitation attempts targeting the GetOrphaned endpoint
• Audit user accounts with access to the affected endpoint and revoke credentials for any suspicious accounts
• Implement additional input validation at the web application firewall level as a defense-in-depth measure

Patch Information

The vulnerability was addressed in Phishing Club v1.30.2. The fix modifies the RemapOrderBy() function in backend/vo/queryParams.go to clear unknown mappings instead of passing them through. Additionally, the patch imports the slices package in backend/repository/recipient.go to support allowlist validation of order-by columns. Detailed patch information is available in the GitHub Security Advisory GHSA-4r69-4qff-ccj3 and the GitHub Commit Update.

Workarounds

• If immediate patching is not possible, restrict access to the GetOrphaned recipient listing endpoint to only trusted administrators
• Implement a reverse proxy or WAF rule to block requests containing SQL keywords in the sortBy parameter
• Temporarily disable the recipient listing functionality if it is not business-critical until the patch can be applied
• Apply network segmentation to limit database access from the application server

# Example WAF rule to block SQL injection in sortBy parameter (ModSecurity format)
SecRule ARGS:sortBy "@rx (?i)(union|select|case|when|sleep|benchmark|concat|substr)" \
    "id:100001,phase:2,deny,status:403,msg:'Potential SQL Injection in sortBy parameter'"