CVE-2026-7672 Overview
CVE-2026-7672 is a SQL injection vulnerability in youlaitech youlai-boot versions up to 2.21.1. The flaw resides in the getUserList function within src/main/java/com/youlai/boot/system/controller/UserController.java, part of the Users Endpoint component. Attackers can manipulate the order argument to inject arbitrary SQL into backend database queries. The attack is exploitable remotely over the network and requires only low-level authenticated privileges. The exploit details have been publicly disclosed, increasing the risk of opportunistic exploitation. The vendor was contacted but did not respond to coordinated disclosure attempts.
Critical Impact
Authenticated remote attackers can manipulate the order parameter in the Users Endpoint to execute arbitrary SQL queries, potentially exposing or altering user data managed by the application.
Affected Products
- youlaitech youlai-boot versions up to and including 2.21.1
- Component: Users Endpoint (UserController.java)
- Affected function: getUserList
Discovery Timeline
- 2026-05-03 - CVE-2026-7672 published to NVD
- 2026-05-04 - Last updated in NVD database
Technical Details for CVE-2026-7672
Vulnerability Analysis
The vulnerability is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The getUserList function in UserController.java accepts an order argument from client requests and forwards it into a database query without adequate validation or parameterization. This pattern is common when developers use the order parameter for dynamic sorting, since standard ORM placeholder binding does not apply to SQL identifiers or ORDER BY clauses.
An authenticated attacker can submit crafted values for order to break out of the intended SQL context. Exploitation can disclose sensitive data from the user table, manipulate query results, or chain with database-specific syntax to extract additional schema information. The vulnerability is exposed over the network through the standard Users Endpoint, making remote exploitation straightforward once a low-privileged session is established.
Root Cause
The root cause is unsafe concatenation of the user-controlled order parameter into a SQL statement. The function does not enforce an allow-list of valid column names or sort directions before passing the value to the database layer. Because ORDER BY clauses cannot be parameterized through prepared statements, the absence of strict input validation allows arbitrary SQL fragments to reach the query engine.
Attack Vector
The attack is delivered remotely via HTTP requests to the Users Endpoint. An attacker authenticates with low-privilege credentials and submits a request to the user listing API with a malicious order value. The injected SQL is concatenated into the executed query, returning attacker-controlled results. Public disclosure of the technique on VulDB and Feishu lowers the barrier to weaponization. Refer to the VulDB Vulnerability #360825 and Feishu Document for the public proof-of-concept details.
Detection Methods for CVE-2026-7672
Indicators of Compromise
- HTTP requests to the Users Endpoint containing SQL keywords such as SELECT, UNION, SLEEP, BENCHMARK, or comment markers (--, /*) within the order parameter.
- Database error messages or stack traces emitted by UserController.getUserList correlating with anomalous order values.
- Unusually long query execution times on the user listing endpoint, indicating potential time-based blind SQL injection probing.
Detection Strategies
- Inspect application access logs for order parameter values that deviate from the expected allow-list of column names and asc/desc keywords.
- Enable database query logging and alert on queries originating from getUserList containing unexpected SQL syntax or subqueries.
- Deploy a web application firewall ruleset for SQL injection patterns targeting parameter names commonly used for sort ordering.
Monitoring Recommendations
- Forward application and database telemetry to a centralized analytics platform for correlation between HTTP request payloads and downstream SQL activity.
- Track authenticated user accounts that issue high volumes of requests to the Users Endpoint, particularly with varied order values.
- Establish baselines for query response sizes and durations on getUserList so deviations triggered by injection can be flagged.
How to Mitigate CVE-2026-7672
Immediate Actions Required
- Restrict access to the Users Endpoint to trusted administrative networks or VPN-only segments until a fix is applied.
- Audit the getUserList implementation and replace direct concatenation of the order parameter with a strict allow-list validator that maps client values to known-safe column identifiers.
- Rotate credentials and review audit logs for any successful exploitation attempts referencing the Users Endpoint.
Patch Information
No vendor patch has been published. The vendor was contacted prior to disclosure and did not respond. Operators should track the VulDB advisory for updates and consider applying source-level mitigations directly in UserController.java until an official release is issued.
Workarounds
- Implement an allow-list in getUserList that accepts only predefined column names and ASC/DESC values, rejecting any other input.
- Apply a reverse proxy or WAF rule that strips or blocks requests where the order parameter contains characters outside the alphanumeric set.
- Use the database account with the minimum privileges required, removing schema modification and inter-table read permissions where possible to limit the impact of injection.
# Example WAF rule (ModSecurity) to block suspicious order parameters
SecRule ARGS:order "@rx [^a-zA-Z0-9_,. ]" \
"id:1026672,phase:2,deny,status:403,\
msg:'CVE-2026-7672 - Suspicious order parameter blocked',\
tag:'attack-sqli'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

