CVE-2026-5147 Overview
A SQL injection vulnerability has been discovered in YunaiV yudao-cloud up to version 2026.01. This security flaw affects the /admin-api/system/tenant/get-by-website endpoint, where improper handling of the Website argument allows attackers to inject malicious SQL queries. The vulnerability can be exploited remotely without authentication, potentially enabling unauthorized access to database contents, data manipulation, or further system compromise.
Critical Impact
Remote attackers can exploit this SQL injection vulnerability to extract sensitive data, modify database records, or potentially gain unauthorized access to the underlying system through the vulnerable tenant management API endpoint.
Affected Products
- YunaiV yudao-cloud up to version 2026.01
Discovery Timeline
- 2026-03-30 - CVE-2026-5147 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-5147
Vulnerability Analysis
This SQL injection vulnerability (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) exists in the tenant management functionality of yudao-cloud. The vulnerable endpoint /admin-api/system/tenant/get-by-website fails to properly sanitize user-supplied input in the Website parameter before incorporating it into SQL queries. This allows attackers to inject arbitrary SQL commands that are then executed against the backend database.
The vulnerability is remotely exploitable and requires no prior authentication or user interaction, making it particularly dangerous for internet-facing deployments. The exploit has been publicly disclosed and may already be used in active attacks. The vendor was contacted about this vulnerability but did not respond.
Root Cause
The root cause of this vulnerability is inadequate input validation and the absence of parameterized queries or prepared statements when processing the Website argument. The application directly concatenates user input into SQL query strings, allowing special SQL characters and commands to be interpreted by the database engine rather than being treated as literal data values.
Attack Vector
The attack vector is network-based, allowing remote exploitation without authentication. An attacker can craft malicious HTTP requests to the /admin-api/system/tenant/get-by-website endpoint, embedding SQL injection payloads within the Website parameter. Successful exploitation could allow the attacker to:
- Extract sensitive tenant and system data from the database
- Modify or delete database records
- Bypass authentication mechanisms
- Potentially execute operating system commands if database permissions allow
For detailed technical information about the vulnerability mechanism, see the GitHub Vulnerability Note and the endpoint-specific analysis.
Detection Methods for CVE-2026-5147
Indicators of Compromise
- Unusual or malformed requests to the /admin-api/system/tenant/get-by-website endpoint containing SQL syntax
- Database error messages in application logs indicating SQL syntax errors from the tenant lookup function
- Unexpected database queries or query patterns in database audit logs
- Signs of data exfiltration or unauthorized database access
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in the Website parameter
- Enable detailed logging for all requests to the /admin-api/system/tenant/ API endpoints
- Monitor database query logs for anomalous or unexpected query structures
- Deploy intrusion detection systems with SQL injection signature detection capabilities
Monitoring Recommendations
- Configure alerts for HTTP requests containing common SQL injection characters such as single quotes, semicolons, and SQL keywords in API parameters
- Monitor for unusual database activity patterns including bulk data retrieval or unauthorized schema access
- Review application error logs for database-related exceptions originating from tenant management functions
How to Mitigate CVE-2026-5147
Immediate Actions Required
- Restrict access to the /admin-api/system/tenant/get-by-website endpoint through network-level controls or authentication requirements
- Deploy WAF rules to block SQL injection attempts targeting this endpoint
- If possible, disable or remove the vulnerable endpoint until a patch is available
- Audit database access logs for signs of prior exploitation
Patch Information
At the time of publication, no official patch has been released by the vendor. The vendor was contacted about this disclosure but did not respond. Organizations using yudao-cloud should monitor the official repository and VulDB entry for updates on remediation options.
Workarounds
- Implement input validation to sanitize the Website parameter, rejecting requests containing SQL metacharacters
- Add a Web Application Firewall in front of the application with SQL injection detection rules enabled
- Restrict network access to the administrative API endpoints to trusted IP addresses only
- Consider implementing parameterized queries at the application level if source code modification is possible
# Example: Restrict access to vulnerable endpoint via nginx
location /admin-api/system/tenant/get-by-website {
# Deny all external access until patched
allow 127.0.0.1;
allow 10.0.0.0/8;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
