CVE-2026-40331 Overview
CVE-2026-40331 is an unauthenticated SQL injection vulnerability [CWE-89] in Masa CMS, an open source content management system. The flaw exists in the JSON API, which accepts an altTable parameter stored via the setAltTable() method without validation or sanitization. The unsanitized value is injected directly into a SQL FROM clause inside feedGateway.cfc. An attacker can supply an arbitrary subquery to read sensitive data from any database table in a single HTTP request, including administrative credentials and password reset tokens. The issue affects Masa CMS versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2.
Critical Impact
Unauthenticated attackers can extract administrative credentials and password reset tokens from any database table in a single HTTP request.
Affected Products
- Masa CMS versions 7.2.0 through 7.2.9
- Masa CMS versions 7.3.0 through 7.3.14
- Masa CMS versions 7.4.0 through 7.4.9 and 7.5.0 through 7.5.2
Discovery Timeline
- 2026-05-05 - CVE-2026-40331 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-40331
Vulnerability Analysis
The vulnerability resides in the unauthenticated JSON API exposed by Masa CMS. The API accepts an altTable request parameter and passes it to the setAltTable() method on feedBean.cfc without input validation. The stored value is later concatenated directly into the SQL FROM clause constructed by feedGateway.cfc. Because no parameterization or allow-list filtering occurs, the attacker controls the table reference.
An attacker can replace the table name with an arbitrary subquery, turning a single HTTP request into a database read primitive. The query executes with the privileges of the application database account, which typically has read access to every CMS table. Sensitive data including administrative credentials and password reset tokens are exposed, enabling account takeover and full administrative compromise of the CMS.
Root Cause
The root cause is missing input validation on the altTable parameter combined with unsafe SQL composition. The setAltTable() setter accepts any string, and feedGateway.cfc interpolates that string directly into a SQL statement. This pattern matches CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to the JSON API endpoint with an altTable parameter containing a SQL subquery. The injected subquery executes within the feed gateway's database context. Output is returned in the JSON response, allowing efficient extraction of credential hashes, session data, and reset tokens. See the GitHub Security Advisory for additional technical details.
Detection Methods for CVE-2026-40331
Indicators of Compromise
- HTTP requests to the Masa CMS JSON API containing an altTable parameter with non-alphanumeric characters, parentheses, or SELECT keywords.
- Web server access logs showing repeated JSON API calls from a single source with varying altTable values.
- Database query logs containing unusual FROM clauses referencing subqueries or unexpected table names.
- Unexpected reads against users, password_reset, or other credential-bearing tables originating from the CMS application account.
Detection Strategies
- Inspect HTTP request payloads for the altTable parameter and alert on values that are not simple alphanumeric identifiers.
- Enable database query logging and flag queries where the FROM clause contains nested SELECT statements issued by the CMS service account.
- Deploy WAF signatures targeting SQL injection patterns within JSON API request bodies and query strings.
Monitoring Recommendations
- Forward web server, application, and database logs to a centralized analytics platform for correlation of injection attempts and downstream data access.
- Monitor administrative account activity for unexpected logins or password changes that follow suspicious JSON API requests.
- Track outbound data volumes from the CMS database server to identify bulk extraction.
How to Mitigate CVE-2026-40331
Immediate Actions Required
- Upgrade Masa CMS to version 7.2.10, 7.3.15, 7.4.10, or 7.5.3, matching your current major version line.
- If patching is delayed, disable the JSON API at the web server or application level until the upgrade is applied.
- Rotate administrative credentials and invalidate outstanding password reset tokens after patching, since prior exposure cannot be ruled out.
Patch Information
The Masa CMS maintainers fixed the vulnerability in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. The fix adds validation to setAltTable() so that only simple alphanumeric table names are accepted. Refer to the GitHub Security Advisory GHSA-jphh-r686-6w7j for release details.
Workarounds
- Apply input validation to the setAltTable function in core/mura/content/feed/feedBean.cfc to restrict input to alphanumeric table names.
- Disable the JSON API entirely if it is not required by your deployment.
- Restrict network access to the JSON API endpoint using firewall rules or reverse-proxy ACLs while remediation is in progress.
# Configuration example: block JSON API at a reverse proxy until patched
location ~* /index\.cfm/_api/json/ {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
