CVE-2026-6628 Overview
A SQL Injection vulnerability has been discovered in phili67 Ecclesia CRM affecting versions up to and including 8.0.0. The vulnerability exists in the ValidateInput function within the /v2/query/view/ endpoint of the Query Viewer Component. Remote authenticated attackers can exploit this flaw by manipulating the custom parameter to inject malicious SQL queries, potentially leading to unauthorized data access, data manipulation, or other database-level attacks.
Critical Impact
Remote attackers can exploit this SQL injection vulnerability to read, modify, or delete sensitive data stored in the Ecclesia CRM database, potentially compromising member information and organizational data.
Affected Products
- Ecclesia CRM up to version 8.0.0
- Query Viewer Component (/v2/query/view/)
- ValidateInput function handling the custom parameter
Discovery Timeline
- 2026-04-20 - CVE-2026-6628 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-6628
Vulnerability Analysis
This SQL Injection vulnerability (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) resides in the Query Viewer Component of Ecclesia CRM. The ValidateInput function fails to properly sanitize user-supplied input in the custom parameter before incorporating it into SQL queries. This allows an authenticated attacker with network access to inject arbitrary SQL commands that are executed against the underlying database.
The exploit has been publicly disclosed and is available for use. The vendor was contacted regarding this vulnerability but did not respond, leaving users without an official patch at this time.
Root Cause
The root cause of this vulnerability is insufficient input validation and lack of parameterized queries in the ValidateInput function. User-controlled data from the custom parameter is directly concatenated into SQL statements without proper sanitization or escaping, enabling injection attacks. This represents a fundamental secure coding failure where untrusted input is trusted and processed without defensive measures.
Attack Vector
The attack can be initiated remotely over the network by an authenticated user. The attacker crafts a malicious HTTP request to the /v2/query/view/ endpoint with a specially crafted custom parameter containing SQL injection payloads. Since the vulnerability requires low privileges (authenticated access) and no user interaction, it presents a straightforward exploitation path for attackers who have obtained valid credentials through any means.
The injection point allows attackers to potentially:
- Extract sensitive data from the database (data exfiltration)
- Modify or delete existing records (data manipulation)
- Bypass application logic and access controls
- Potentially escalate to command execution depending on database configuration
Detection Methods for CVE-2026-6628
Indicators of Compromise
- Unusual SQL syntax patterns in web application logs targeting /v2/query/view/
- Anomalous database query execution times or error messages
- Unexpected data access patterns or bulk data retrievals from the CRM database
- Authentication attempts followed by requests to the Query Viewer Component with suspicious custom parameter values
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in HTTP requests to the /v2/query/view/ endpoint
- Monitor application logs for requests containing SQL keywords (UNION, SELECT, DROP, INSERT, etc.) in the custom parameter
- Deploy database activity monitoring to identify unusual query patterns or unauthorized data access
- Use intrusion detection systems (IDS) with SQL injection signature detection enabled
Monitoring Recommendations
- Enable verbose logging on the Ecclesia CRM application to capture all requests to the Query Viewer Component
- Configure database audit logging to track all queries executed against sensitive tables
- Set up alerts for failed authentication attempts followed by access to the /v2/query/view/ endpoint
- Monitor for outbound data transfers that could indicate successful data exfiltration
How to Mitigate CVE-2026-6628
Immediate Actions Required
- Restrict access to the /v2/query/view/ endpoint to only trusted administrative users
- Implement network-level access controls to limit who can reach the Ecclesia CRM application
- Deploy a Web Application Firewall (WAF) with SQL injection protection rules
- Consider temporarily disabling the Query Viewer Component if not business-critical
- Audit user accounts and remove unnecessary privileges
Patch Information
No official patch is currently available from the vendor. According to the vulnerability disclosure, the vendor was contacted but did not respond. Organizations using Ecclesia CRM should monitor the VulDB entry and vendor channels for any future security updates. Technical details about the vulnerability have been documented in the GitHub SQL Injection Repository.
Workarounds
- Implement input validation at the application level using a reverse proxy or WAF to filter SQL injection patterns from the custom parameter
- Use network segmentation to isolate the Ecclesia CRM instance from untrusted network segments
- Apply principle of least privilege to database accounts used by the application to limit potential damage
- Consider implementing prepared statements or parameterized queries if source code modifications are possible
# Example WAF rule configuration to block SQL injection attempts
# Add to your ModSecurity or similar WAF configuration
SecRule ARGS:custom "@detectSQLi" \
"id:100001,\
phase:2,\
block,\
log,\
msg:'SQL Injection attempt detected in Ecclesia CRM custom parameter',\
tag:'CVE-2026-6628'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
