CVE-2026-42475 Overview
CVE-2026-42475 is a SQL injection vulnerability [CWE-89] affecting MixPHP Framework versions 2.x through 2.2.17. The flaw exists in the joinOn function within BuildHelper.php, where a crafted on array passed to the function allows attackers to inject SQL syntax into generated queries. An attacker with network access can exploit the issue without authentication or user interaction. Successful exploitation can disclose database contents and modify query logic against applications built on the affected framework.
Critical Impact
Unauthenticated remote attackers can manipulate SQL queries through the joinOn function in MixPHP Framework 2.x through 2.2.17, leading to confidentiality and integrity impact on application databases.
Affected Products
- MixPHP Framework 2.x through 2.2.17
- Applications using the mix-php/mix database component (src/database/src/Helper/BuildHelper.php)
- Downstream services that pass user-controlled input into the joinOn function
Discovery Timeline
- 2026-05-01 - CVE-2026-42475 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-42475
Vulnerability Analysis
The vulnerability resides in the query-building logic of MixPHP's database helper. The joinOn function in BuildHelper.php accepts an on array used to construct the ON clause of SQL JOIN statements. The function concatenates user-supplied array elements directly into the query string instead of binding them as parameters or validating them against an allow-list. Attackers who control any portion of the on array can inject arbitrary SQL fragments. The CVSS vector indicates network-based exploitation with low attack complexity, no privileges required, and partial impact to confidentiality and integrity. The EPSS score is 0.041% at the 12.348 percentile, reflecting low observed exploitation activity at publication.
Root Cause
The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The joinOn helper trusts caller-supplied identifiers and conditions, embedding them directly into generated SQL rather than treating them as untrusted input. Frameworks typically isolate identifiers using strict whitelisting or quoted identifier escaping, neither of which is enforced here.
Attack Vector
An attacker reaches the vulnerable code by submitting input that an application forwards into the on parameter of a JOIN operation built via BuildHelper::joinOn. Where developers expose join conditions to request data, such as filtering or relationship parameters, attackers can append SQL fragments to alter query results, exfiltrate data via boolean or time-based techniques, or break out of the intended clause. See the GitHub Gist proof of concept and the vulnerable BuildHelper.php source for technical details.
No verified exploit code is reproduced here. Refer to the public proof of concept linked above for the demonstrated payload structure.
Detection Methods for CVE-2026-42475
Indicators of Compromise
- Database query logs containing unexpected SQL operators, comments, or UNION statements within JOIN ... ON clauses
- Application error logs referencing BuildHelper::joinOn followed by SQL syntax errors
- HTTP request parameters carrying array values with quotes, parentheses, or SQL keywords destined for join logic
Detection Strategies
- Inspect application source for direct user input flowing into the joinOn function and audit recent commits to BuildHelper.php consumers
- Enable verbose database query logging and alert on join clauses containing characters such as ', --, /*, or ;
- Deploy a web application firewall ruleset targeting SQL metacharacters in array-style query parameters
Monitoring Recommendations
- Forward web server, application, and database logs to a centralized analytics platform and correlate anomalous query structures with source IPs
- Baseline normal JOIN patterns produced by the application and alert on deviations introduced after the vulnerability disclosure
- Track outbound data volume from database hosts to detect bulk extraction following injection attempts
How to Mitigate CVE-2026-42475
Immediate Actions Required
- Audit application code for invocations of BuildHelper::joinOn that receive request-derived data and refactor them to use static, validated identifiers
- Apply strict allow-list validation on any column or table names passed into join conditions
- Restrict database account privileges used by MixPHP applications to limit the blast radius of successful injection
Patch Information
No fixed version is referenced in the NVD entry at the time of publication. Monitor the mix-php/mix repository for releases beyond 2.2.17 that address the joinOn SQL injection. Until an official patch is published, treat the on array as untrusted across the codebase.
Workarounds
- Replace dynamic join conditions with parameterized queries or pre-defined ON expressions that exclude user input
- Wrap calls to joinOn with a validation layer that rejects identifiers not matching ^[A-Za-z0-9_.]+$
- Deploy WAF signatures that block SQL metacharacters in request parameters consumed by query-building code paths
# Example allow-list validation in PHP before invoking joinOn
if (!preg_match('/^[A-Za-z0-9_.]+$/', $userColumn)) {
throw new InvalidArgumentException('Invalid join column');
}
$query->joinOn($table, ['left' => $userColumn, 'op' => '=', 'right' => 'other.id']);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
