CVE-2026-50636 Overview
CVE-2026-50636 is a SQL injection vulnerability in the LimeSurvey RemoteControl API. The invite_participants and remind_participants methods pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization. An authenticated attacker with the tokens/update permission on a survey can inject crafted array elements to execute arbitrary SQL. Because LimeSurvey configures its PDO connection with emulatePrepare = true and does not disable MySQL multi-statements, the injection supports stacked queries.
Critical Impact
Attackers can read or destroy any database content accessible to the application user, including administrator bcrypt password hashes in lime_users, leading to account takeover.
Affected Products
- LimeSurvey with RemoteControl API enabled (RPCInterface = json/xml)
- LimeSurvey installations exposing the invite_participants RemoteControl method
- LimeSurvey installations exposing the remind_participants RemoteControl method
Discovery Timeline
- 2026-06-09 - CVE-2026-50636 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-50636
Vulnerability Analysis
The flaw resides in LimeSurvey's RemoteControl API handlers for invite_participants and remind_participants. Both methods accept a token-ID array from the caller and forward it to TokenDynamic::findUninvited(). That function builds a SQL tid IN ('...') clause via direct string concatenation, with no parameter binding and no validation of array element contents.
LimeSurvey's PHP Data Object (PDO) connection runs with emulatePrepare = true, so queries are assembled client-side before transmission. MySQL multi-statement execution is not explicitly disabled. This combination enables stacked queries, allowing an attacker to terminate the original SELECT and append arbitrary INSERT, UPDATE, DELETE, DROP, or CREATE statements.
The weakness is classified as [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.
Root Cause
The root cause is unsafe string concatenation of attacker-controlled array values into a SQL IN clause inside TokenDynamic::findUninvited(). The absence of prepared-statement binding and input validation lets injection payloads survive into the executed query text.
Attack Vector
An attacker must authenticate to the RemoteControl API and hold the tokens/update permission on a target survey. The attacker then submits a crafted token-ID array to invite_participants or remind_participants. Because output is not directly returned, exploitation relies on a SLEEP() time-based blind oracle to extract data such as administrator bcrypt hashes, survey response personally identifiable information (PII), session records, and global settings. Stacked queries also permit direct overwrite of the administrator password hash for immediate account takeover, or destruction of tables via DROP/TRUNCATE.
The RemoteControl interface must be enabled, which is not the default configuration.
Detection Methods for CVE-2026-50636
Indicators of Compromise
- RemoteControl API requests to invite_participants or remind_participants containing SQL metacharacters such as single quotes, parentheses, or SLEEP(, BENCHMARK(, UNION, or semicolon separators in token-ID array elements.
- Unexpected updates to the lime_users table, particularly password hash changes for administrator accounts.
- Anomalous DROP, TRUNCATE, or CREATE statements observed in MySQL general or slow query logs originating from the LimeSurvey database user.
- Long-running queries containing SLEEP() calls, indicative of time-based blind extraction.
Detection Strategies
- Inspect web server access logs for POST requests to the RemoteControl endpoint (/index.php?r=admin/remotecontrol) and decode JSON-RPC or XML-RPC payloads to flag non-numeric or quoted token-ID array elements.
- Enable MySQL query logging and alert on multi-statement execution patterns and SLEEP() invocations in queries referencing lime_tokens_* tables.
- Correlate authenticated RemoteControl sessions with subsequent administrator password resets or login behavior from new IP addresses.
Monitoring Recommendations
- Monitor authentication events for the LimeSurvey administrator account and alert on logins following RemoteControl API activity.
- Track schema-altering SQL statements executed by the application database user and treat any as high-severity.
- Baseline normal RemoteControl API usage and alert on spikes in invite_participants or remind_participants calls.
How to Mitigate CVE-2026-50636
Immediate Actions Required
- Disable the RemoteControl API by setting RPCInterface = off in application/config/config.php if it is not required.
- Revoke the tokens/update permission from non-essential survey roles to reduce the population of users able to reach the vulnerable code path.
- Rotate administrator credentials and review the lime_users table for unauthorized password hash changes.
- Audit lime_settings_global and survey response tables for tampering.
Patch Information
Apply the upstream fix tracked in the LimeSurvey GitHub Pull Request #5031. Refer to the VulnCheck Advisory: LimeSurvey SQL Injection and the LimeSurvey Official Website for release information and upgrade guidance.
Workarounds
- Disable the RemoteControl API entirely until the patched LimeSurvey release is deployed.
- Restrict network access to the LimeSurvey administrative endpoint using IP allowlists or a reverse proxy.
- Configure the application database user with least-privilege grants, removing DROP, CREATE, and ALTER permissions where feasible.
- Set PDO ATTR_EMULATE_PREPARES to false and ensure MySQL multi-statement execution is disabled at the driver level.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

