CVE-2026-35168: OpenSTAManager SQL Injection Vulnerability

CVE-2026-35168 Overview

OpenSTAManager, an open source management software for technical assistance and invoicing, contains a critical SQL Injection vulnerability in its Aggiornamenti (Updates) module. Prior to version 2.10.2, the database conflict resolution feature (op=risolvi-conflitti-database) accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. This allows authenticated attackers with access to the Aggiornamenti module to execute arbitrary SQL statements against the underlying MySQL database.

Critical Impact

An authenticated attacker can execute arbitrary SQL commands including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, and SELECT INTO OUTFILE, potentially leading to complete database compromise, data exfiltration, and system takeover.

Affected Products

• OpenSTAManager versions prior to 2.10.2
• OpenSTAManager Aggiornamenti (Updates) module with database conflict resolution feature

Discovery Timeline

• 2026-04-02 - CVE-2026-35168 published to NVD
• 2026-04-02 - Last updated in NVD database

Technical Details for CVE-2026-35168

Vulnerability Analysis

This SQL Injection vulnerability (CWE-89) exists in the Aggiornamenti module's database conflict resolution functionality. The vulnerable endpoint accepts POST requests containing a JSON array of SQL statements and executes them without any input validation or sanitization. The severity is compounded by the fact that foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), which removes database integrity protections and allows attackers to manipulate related tables without constraint violations.

The attack requires authentication and access to the Aggiornamenti module, but once those conditions are met, an attacker gains unrestricted SQL execution capabilities against the MySQL server. This enables a wide range of malicious activities including data theft, privilege escalation within the database, and potential remote code execution through database features like SELECT INTO OUTFILE.

Root Cause

The root cause is a complete absence of input validation on SQL statements passed to the database conflict resolution feature. The vulnerable code directly executes user-supplied SQL queries without implementing an allowlist of safe operations, pattern matching, or any sanitization. The vulnerability is exacerbated by the intentional disabling of foreign key checks, which was likely intended for legitimate schema migration operations but creates additional attack surface.

Attack Vector

The attack is network-based and requires an authenticated session with access to the Aggiornamenti module. An attacker crafts a malicious POST request containing arbitrary SQL statements encoded as a JSON array, targeting the op=risolvi-conflitti-database operation. The server processes this request and executes the SQL commands directly against the MySQL database. Supported malicious operations include data exfiltration via SELECT queries, data manipulation via INSERT/UPDATE/DELETE, schema destruction via DROP TABLE, and potential file system access via SELECT INTO OUTFILE.

             break;
         }
 
-        $debug_queries = implode('<br>', $queries);
+        // WHITELIST: Permetti solo pattern SQL sicuri
+        $allowed_patterns = [
+            '/^ALTER\s+TABLE\s+`?[\w]+`?\s+(ADD|MODIFY|CHANGE|DROP)\s+(COLUMN\s+)?`?[\w]+`?/i',
+            '/^CREATE\s+(UNIQUE\s+)?INDEX\s+`?[\w]+`?\s+ON\s+`?[\w]+`?\s*\(/i',
+            '/^DROP\s+INDEX\s+`?[\w]+`?\s+ON\s+`?[\w]+`?$/i',
+            '/^UPDATE\s+`?zz_views`?\s+SET\s+/i',
+            '/^INSERT\s+INTO\s+`?zz_\w+`?\s*\(/i',
+            '/^DELETE\s+FROM\s+`?zz_\w+`?\s+WHERE\s+/i',
+        ];
+
+        $safe_queries = [];
+        $rejected = [];
 
-        $dbo->query('SET FOREIGN_KEY_CHECKS=0');
+        foreach ($queries as $query) {
+            $is_safe = false;
+            foreach ($allowed_patterns as $pattern) {
+                if (preg_match($pattern, trim($query))) {
+                    $is_safe = true;
+                    break;
+                }
+            }
+
+            if ($is_safe) {
+                $safe_queries[] = $query;
+            } else {

Source: GitHub Commit Reference

Detection Methods for CVE-2026-35168

Indicators of Compromise

• Unusual POST requests to the Aggiornamenti module containing op=risolvi-conflitti-database parameter
• Web server logs showing JSON-encoded SQL statements in POST body data
• Database audit logs revealing unexpected DDL operations (DROP, CREATE, ALTER) or bulk data modifications
• MySQL general query log entries showing SET FOREIGN_KEY_CHECKS=0 followed by anomalous queries

Detection Strategies

• Monitor web application logs for requests to /modules/aggiornamenti/actions.php with suspicious parameters
• Implement Web Application Firewall (WAF) rules to detect SQL keywords in POST body JSON arrays
• Enable MySQL general query logging temporarily to identify unauthorized SQL execution patterns
• Review database user privilege assignments to identify accounts with excessive permissions

Monitoring Recommendations

• Configure database audit logging to capture all DDL statements and privilege modifications
• Set up alerts for bulk DELETE, DROP TABLE, or SELECT INTO OUTFILE operations
• Monitor authentication logs for the Aggiornamenti module to track access patterns
• Implement anomaly detection for database query patterns that deviate from normal application behavior

How to Mitigate CVE-2026-35168

Immediate Actions Required

• Upgrade OpenSTAManager to version 2.10.2 or later immediately
• Restrict access to the Aggiornamenti module to only trusted administrator accounts
• Review database access logs for evidence of exploitation
• Audit database contents for unauthorized modifications or data exfiltration indicators

Patch Information

The vulnerability has been patched in OpenSTAManager version 2.10.2. The fix implements a whitelist-based approach that validates SQL statements against a set of allowed patterns before execution. Only specific ALTER TABLE, CREATE INDEX, DROP INDEX, and limited DML operations on system tables (zz_*) are permitted. The patch also removes the dangerous SET FOREIGN_KEY_CHECKS=0 statement that disabled database integrity protections.

For patch details, see the GitHub Security Advisory GHSA-2fr7-cc4f-wh98 and the GitHub Release v2.10.2.

Workarounds

• Disable or restrict network access to the Aggiornamenti module until patching is complete
• Implement a reverse proxy or WAF rule to block POST requests containing op=risolvi-conflitti-database
• Remove Aggiornamenti module permissions from non-essential user accounts
• Configure MySQL user privileges to limit the application database account to only required operations

# Example: Restrict database user privileges (MySQL)
# Revoke dangerous privileges from the OpenSTAManager database user
REVOKE FILE, SUPER, CREATE, DROP, ALTER ON *.* FROM 'openstamanager_user'@'localhost';

# Grant only minimum required privileges
GRANT SELECT, INSERT, UPDATE, DELETE ON openstamanager_db.* TO 'openstamanager_user'@'localhost';
FLUSH PRIVILEGES;