CVE-2026-5736: PowerJob SQL Injection Vulnerability

CVE-2026-5736 Overview

A SQL injection vulnerability has been identified in PowerJob versions 5.1.0, 5.1.1, and 5.1.2. The vulnerability exists in the detailPlus endpoint within the InstanceController.java file located at powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/InstanceController.java. The flaw allows attackers to manipulate the customQuery argument to inject arbitrary SQL commands, enabling unauthorized database access and manipulation.

Critical Impact

Remote attackers can exploit this SQL injection vulnerability without authentication to extract sensitive data, modify database contents, or potentially escalate to further system compromise through database server capabilities.

Affected Products

• PowerJob 5.1.0
• PowerJob 5.1.1
• PowerJob 5.1.2

Discovery Timeline

• 2026-04-07 - CVE-2026-5736 published to NVD
• 2026-04-08 - Last updated in NVD database

Technical Details for CVE-2026-5736

Vulnerability Analysis

This SQL injection vulnerability stems from improper handling of user-supplied input in the customQuery parameter of the detailPlus endpoint. When a request is made to this endpoint, the application fails to properly sanitize or parameterize the customQuery input before incorporating it into SQL statements. This allows an attacker to break out of the intended query context and inject malicious SQL commands.

The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which encompasses injection flaws where untrusted input is not properly neutralized before being used in sensitive operations.

Root Cause

The root cause of this vulnerability is the lack of proper input validation and parameterized queries in the InstanceController.java file. The customQuery argument is directly concatenated or interpolated into SQL statements without sanitization, allowing special SQL characters and commands to be interpreted by the database engine rather than treated as literal string data.

Attack Vector

The attack can be executed remotely over the network without requiring authentication. An attacker can craft malicious HTTP requests to the detailPlus endpoint, inserting SQL injection payloads into the customQuery parameter. Successful exploitation could allow the attacker to:

• Extract sensitive data from the database including job configurations and credentials
• Modify or delete database records
• Potentially execute operating system commands if the database user has elevated privileges
• Bypass application-level access controls

The vulnerability is exploitable by sending specially crafted requests to the affected endpoint. Technical details and a proposed fix are available in the GitHub Issue Discussion and the associated GitHub Pull Request. Security researchers should review these resources for specific payload construction details.

Detection Methods for CVE-2026-5736

Indicators of Compromise

• Unusual or malformed requests to the /instance/detailPlus endpoint containing SQL syntax characters such as single quotes, semicolons, or UNION keywords
• Database error messages in application logs indicating syntax errors from malformed queries
• Unexpected database queries or data exfiltration patterns originating from the PowerJob server
• Anomalous database access patterns including bulk data retrieval or modification operations

Detection Strategies

• Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in requests to PowerJob endpoints
• Enable database query logging and monitor for suspicious query patterns or error conditions
• Deploy network intrusion detection systems (IDS) with signatures for SQL injection attack patterns
• Configure application-level logging to capture all requests to the detailPlus endpoint for forensic analysis

Monitoring Recommendations

• Monitor HTTP access logs for requests containing URL-encoded SQL injection payloads targeting the customQuery parameter
• Set up alerts for database errors that may indicate exploitation attempts
• Track unusual data access patterns from the PowerJob application database user
• Implement anomaly detection for request frequency and payload sizes to the affected endpoint

How to Mitigate CVE-2026-5736

Immediate Actions Required

• Restrict network access to the PowerJob server to trusted networks and IP addresses only
• Implement a Web Application Firewall (WAF) with SQL injection protection rules in front of the PowerJob deployment
• Review and audit database permissions to ensure the PowerJob database user has minimal required privileges
• Monitor the GitHub Pull Request for official patch availability and apply when released

Patch Information

As of the last modification date, the PowerJob project has been notified of this vulnerability through the GitHub Issue Discussion but has not yet responded with an official patch. A community-submitted fix is available in the GitHub Pull Request. Organizations should monitor the PowerJob GitHub Repository for official security updates and patch releases. Additional vulnerability details are documented in the VulDB Vulnerability Report.

Workarounds

• Deploy a reverse proxy or WAF to filter and sanitize incoming requests to the detailPlus endpoint
• If the detailPlus functionality is not required, consider disabling or restricting access to the endpoint at the network or application level
• Implement strict input validation at the network perimeter to block requests containing SQL injection patterns
• Apply database-level restrictions to limit the impact of potential SQL injection exploitation

# Example WAF configuration to block SQL injection patterns (ModSecurity)
# Add to your ModSecurity rules configuration
SecRule ARGS:customQuery "@detectSQLi" \
    "id:100001,\
    phase:2,\
    block,\
    t:none,t:urlDecodeUni,\
    msg:'SQL Injection Attempt Detected in customQuery parameter',\
    logdata:'Matched Data: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    severity:'CRITICAL'"