CVE-2026-33545 Overview
CVE-2026-33545 is a SQL Injection vulnerability affecting MobSF (Mobile Security Framework), a widely-used open-source mobile application security testing tool. The vulnerability exists in the read_sqlite() function within mobsf/MobSF/utils.py (lines 542-566), where Python string formatting (%) is used to construct SQL queries with table names read from a SQLite database's sqlite_master table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without proper parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection.
Critical Impact
Security researchers and analysts using MobSF to analyze potentially malicious mobile applications could be compromised through specially crafted SQLite databases embedded within those applications, turning a security tool into an attack vector.
Affected Products
- MobSF (Mobile Security Framework) versions prior to 4.4.6
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33545 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33545
Vulnerability Analysis
This vulnerability represents a classic SQL Injection flaw (CWE-89) occurring in a security analysis tool. The root cause lies in how MobSF processes SQLite databases embedded within mobile applications during security analysis. When the read_sqlite() function reads table names from the sqlite_master system table of an analyzed database, these table names are directly interpolated into subsequent SQL queries using Python's % string formatting operator rather than parameterized queries.
The attack is particularly insidious because it targets security professionals who are actively analyzing potentially malicious applications. An attacker could distribute a mobile application containing a SQLite database with malicious table names. When a security analyst loads this application into MobSF for analysis, the SQL injection payload executes automatically.
Root Cause
The vulnerability stems from improper input validation in the SQL query construction process. The read_sqlite() function in mobsf/MobSF/utils.py trusts table names extracted from user-supplied SQLite databases and uses Python string formatting to build SQL queries. Table names retrieved from sqlite_master are not sanitized, allowing SQL metacharacters embedded in table names to break out of the intended query context.
Attack Vector
The attack vector requires network access with high attack complexity. An attacker must craft a malicious mobile application containing a SQLite database with specially crafted table names that include SQL injection payloads. The victim must then use MobSF to analyze this malicious application. When MobSF's read_sqlite() function processes the database, it extracts table names from sqlite_master and interpolates them directly into SQL queries, executing the attacker's payload.
The security patch addresses multiple injection vectors by sanitizing input patterns:
def class_pattern(pattern):
"""Search in loaded classes based on pattern."""
pattern = pattern.replace(
- '/', '\\/').replace(';', '')
+ '/', '\\/').replace(';', '').replace('\n', '').replace('\r', '')
content = get_content('search_class_pattern.js')
return content.replace('{{PATTERN}}', pattern)
Source: GitHub Commit Update
The patch also introduces path traversal protection with a dedicated exception handler:
from mobsf.MalwareAnalyzer.views.MalwareDomainCheck import (
MalwareDomainCheck,
)
+from mobsf.MobSF.exceptions import PathTraversalError
from mobsf.MobSF.utils import (
EMAIL_REGEX,
URL_REGEX,
Source: GitHub Commit Update
Detection Methods for CVE-2026-33545
Indicators of Compromise
- Mobile applications containing SQLite databases with unusual or malformed table names containing SQL metacharacters (semicolons, quotes, comments)
- Database table names containing newline or carriage return characters (\n, \r)
- SQLite databases with table names exceeding normal length limits or containing encoded payloads
Detection Strategies
- Monitor MobSF application logs for SQL errors or unexpected query patterns during mobile app analysis
- Implement pre-analysis scanning of SQLite databases for suspicious table name patterns before processing
- Review analyzed mobile applications for embedded databases with anomalous structures
Monitoring Recommendations
- Enable verbose logging in MobSF to capture SQL query execution during analysis sessions
- Set up alerts for database errors or exceptions occurring during mobile application analysis
- Implement file integrity monitoring on MobSF installation directories to detect any unauthorized modifications
How to Mitigate CVE-2026-33545
Immediate Actions Required
- Upgrade MobSF to version 4.4.6 or later immediately
- Review any mobile applications recently analyzed with vulnerable MobSF versions for potential malicious SQLite databases
- Isolate MobSF instances in sandboxed environments to limit potential blast radius
Patch Information
The MobSF development team has released version 4.4.6 which patches this vulnerability. The fix implements proper input sanitization and introduces additional security hardening measures including path traversal protection. Security professionals should upgrade to the patched version by pulling the latest release from the official GitHub repository.
For detailed information about the fix, refer to the GitHub Security Advisory GHSA-hqjr-43r5-9q58 and the security commit.
Workarounds
- Run MobSF in an isolated container or virtual machine environment to contain potential exploitation
- Pre-screen SQLite databases extracted from mobile applications for suspicious table names before allowing MobSF analysis
- Restrict network access for MobSF instances to minimize attack surface until patching is complete
# Example: Running MobSF in Docker for isolation
docker pull opensecurity/mobile-security-framework-mobsf:v4.4.6
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:v4.4.6
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
