CVE-2026-38812 Overview
CVE-2026-38812 is a SQL Injection vulnerability in RuoYi v4.8.2, an open-source Java enterprise rapid development platform. The flaw resides in the /tool/gen/createTable endpoint within the code generation module. An attacker who supplies crafted input to this endpoint can manipulate backend SQL queries and access sensitive database information. The vulnerability is tracked under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Successful exploitation enables unauthorized read and write access to the underlying database, leading to disclosure, tampering, or destruction of application data.
Affected Products
- RuoYi v4.8.2
- RuoYi code generation module (/tool/gen/createTable endpoint)
- Deployments exposing the administrative tool interface
Discovery Timeline
- 2026-06-15 - CVE-2026-38812 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
- 2026-06-18 - EPSS score recorded at 0.393% (percentile 30.95)
Technical Details for CVE-2026-38812
Vulnerability Analysis
RuoYi exposes a code generation utility at /tool/gen/createTable that accepts SQL-related parameters used to provision tables and scaffold application code. The endpoint passes user-controlled input into a database query without sufficient parameterization or input validation. An attacker reaching this endpoint can append SQL syntax that the backend executes against the configured datastore.
While the official description states the endpoint requires an authenticated administrative session, the published CVSS vector indicates network-reachable exploitation with no privileges required. Organizations should treat any exposed /tool/ route as a high-risk attack surface until the discrepancy is resolved by the vendor. The flaw is classified as [CWE-89].
Root Cause
The root cause is the concatenation of untrusted input into a dynamic SQL statement within the code generation handler. RuoYi's generator builds DDL and metadata queries using string composition rather than parameterized statements or strict allow-listing of identifiers. Because table names and schema identifiers cannot be bound as standard SQL parameters, the developer must validate them against a strict allow-list, which the affected version does not enforce.
Attack Vector
Exploitation occurs over the network against the RuoYi administrative interface. The attacker submits a crafted request to /tool/gen/createTable containing SQL metacharacters in a vulnerable parameter. The backend executes the injected payload, returning data through error responses, time-based side channels, or stacked queries depending on the database driver.
A proof-of-concept is published in the CVE-2026-38812 RuoYi SQL Injection PoC Repository. Refer to that repository for technical request details; no verified exploit code is reproduced here.
Detection Methods for CVE-2026-38812
Indicators of Compromise
- HTTP requests to /tool/gen/createTable containing SQL metacharacters such as single quotes, UNION, SLEEP(, --, or comment sequences.
- Unexpected outbound database queries from the RuoYi application user, particularly against information_schema or system catalog tables.
- Application error log entries referencing SQL syntax errors originating from the code generation handler.
- New or modified database tables created outside of normal change windows by the RuoYi service account.
Detection Strategies
- Inspect web access logs and WAF telemetry for requests targeting /tool/gen/* endpoints from non-administrative source addresses.
- Enable verbose SQL logging on the RuoYi database user and alert on queries that reference schema metadata or use time-delay functions.
- Correlate authentication events with subsequent calls to /tool/gen/createTable to surface anomalous admin session reuse.
Monitoring Recommendations
- Forward RuoYi application logs and database audit logs to a centralized analytics platform for retention and correlation.
- Baseline normal usage of the code generation module and alert on deviations in request volume, parameter length, or response size.
- Monitor for privilege escalation patterns following any successful interaction with /tool/gen/createTable.
How to Mitigate CVE-2026-38812
Immediate Actions Required
- Restrict network access to the RuoYi administrative interface using firewall rules, VPN, or IP allow-listing.
- Disable the code generation module in production environments where it is not actively required.
- Rotate database credentials used by RuoYi and review the database user's permissions, removing DDL rights where possible.
- Audit recent access logs for /tool/gen/createTable requests and investigate any suspicious activity.
Patch Information
No official vendor patch is referenced in the NVD entry at the time of publication. Monitor the RuoYi project repository and the GitHub PoC repository for updates. Until a fixed release is available, apply the workarounds below.
Workarounds
- Place the application behind a Web Application Firewall (WAF) with rules blocking SQL injection patterns on /tool/gen/* paths.
- Enforce least-privilege on the database account used by RuoYi so that injected queries cannot read sensitive tables or alter schemas.
- Require multi-factor authentication for all administrative accounts and shorten session lifetimes.
- Remove or comment out the createTable controller route in custom builds until an upstream fix is released.
# Example nginx configuration to block external access to the code generation module
location ^~ /tool/gen/ {
allow 10.0.0.0/8; # internal admin network
deny all;
proxy_pass http://ruoyi_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

