CVE-2026-8054 Overview
CVE-2026-8054 is a SQL Injection vulnerability in the dotCMS Core Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll. The flaw affects dotCMS Core versions 25.11.04-1 through 26.04.28-02. The endpoints did not enforce authentication and accepted unsanitized input that was used in dynamically constructed SQL queries. Remote unauthenticated attackers can read, modify, or destroy arbitrary database content. The vulnerability is tracked under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command). Long Term Support (LTS) releases are not affected because the vulnerable code path was never backported.
Critical Impact
Unauthenticated remote attackers can execute arbitrary SQL queries against the dotCMS database, leading to full compromise of stored content, credentials, and configuration data.
Affected Products
- dotCMS Core 25.11.04-1 through 26.04.28-02
- Publish Audit API endpoint /api/auditPublishing/get
- Publish Audit API endpoint /api/auditPublishing/getAll
Discovery Timeline
- 2026-05-27 - CVE-2026-8054 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-8054
Vulnerability Analysis
The vulnerability resides in two Publish Audit REST endpoints exposed by dotCMS Core. Both endpoints accept request parameters that are concatenated directly into SQL queries without parameterization or input sanitization. Neither endpoint enforced authentication, meaning any remote actor with network access to the application can reach them. An attacker can therefore inject SQL syntax to alter the query structure, exfiltrate database contents, or destructively modify records. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user holding the publishing-queue portlet permission and applies proper input handling.
Root Cause
The root cause is improper neutralization of special elements in SQL commands [CWE-89]. The audit publishing controllers built SQL statements through string concatenation using untrusted client input. Compounding the issue, the endpoints lacked any authentication or authorization checks, removing the access control layer that would otherwise limit reachability.
Attack Vector
The attack vector is network-based and requires no authentication, no user interaction, and no privileges. An attacker sends a crafted HTTP request to /api/auditPublishing/get or /api/auditPublishing/getAll containing SQL metacharacters and payloads in the vulnerable parameters. The injected SQL executes within the database context used by dotCMS, enabling extraction of arbitrary tables, modification of content, or destruction of records.
No verified public proof-of-concept code is available. See the dotCMS Known Security Issue SI-75 and the dotCMS Core Pull Request #35553 for technical details of the fix.
Detection Methods for CVE-2026-8054
Indicators of Compromise
- HTTP requests to /api/auditPublishing/get or /api/auditPublishing/getAll containing SQL metacharacters such as single quotes, UNION SELECT, --, ;, or hex-encoded payloads.
- Unauthenticated access attempts to the Publish Audit API from external IP addresses.
- Database error messages or anomalous response sizes returned from the audit publishing endpoints.
- Unexpected database queries originating from the dotCMS application user against sensitive tables such as user_, dot_cluster, or cms_role.
Detection Strategies
- Inspect web server and application logs for requests to the two vulnerable endpoints and correlate with payloads containing SQL syntax.
- Deploy Web Application Firewall (WAF) signatures that flag SQL injection patterns targeting auditPublishing paths.
- Enable database query logging and alert on queries referencing audit publishing tables that contain unusual UNION, SLEEP, or INFORMATION_SCHEMA constructs.
Monitoring Recommendations
- Forward dotCMS application logs and database audit logs to a centralized logging or SIEM platform for correlation.
- Baseline normal request volume to /api/auditPublishing/* and alert on deviations or spikes from a single source.
- Monitor outbound network traffic from the dotCMS host for signs of data exfiltration following suspicious API activity.
How to Mitigate CVE-2026-8054
Immediate Actions Required
- Upgrade dotCMS Core to version 26.04.28-03 or later, which enforces authentication and the publishing-queue portlet permission on the affected endpoints.
- If upgrading is not immediately possible, block external access to /api/auditPublishing/get and /api/auditPublishing/getAll at the reverse proxy or WAF.
- Review database and application logs for prior exploitation attempts against the vulnerable endpoints.
- Rotate credentials and secrets stored in the dotCMS database if compromise is suspected.
Patch Information
The vendor released the fix in dotCMS Core 26.04.28-03. The patched version requires an authenticated backend user with the publishing-queue portlet permission to access the Publish Audit API. Implementation details are available in the dotCMS Core Pull Request #35553. LTS releases were never affected because the vulnerable code path was not backported.
Workarounds
- Restrict network access to the dotCMS administrative and API endpoints using firewall rules or reverse proxy ACLs.
- Deploy WAF rules to block requests to /api/auditPublishing/get and /api/auditPublishing/getAll from untrusted networks until the patch is applied.
- Apply least-privilege principles to the database account used by dotCMS to limit the impact of a successful injection.
# Example NGINX configuration to block external access to the vulnerable endpoints
location ~ ^/api/auditPublishing/(get|getAll) {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
