CVE-2026-8851 Overview
CVE-2026-8851 is a SQL injection vulnerability [CWE-89] in SOGo, an open-source groupware server developed by Alinto. The flaw affects SOGo versions 5.12.7 and prior. It resides in the Access Control List (ACL) management functionality exposed through the addUserInAcls endpoint. Authenticated users can inject SQL subqueries via the uid parameter to extract arbitrary data from the backend database. The injected payload writes results into the sogo_acl table, and the attacker retrieves them through the /acls API. This creates an out-of-band data exfiltration channel that bypasses standard query result restrictions.
Critical Impact
Authenticated attackers can read arbitrary database contents, including credentials, mailbox metadata, and ACL records, enabling lateral compromise of SOGo-managed mail and calendar data.
Affected Products
- SOGo versions 5.12.7 and prior
- SOGo Access Control List management component (addUserInAcls endpoint)
- Deployments exposing the /acls API to authenticated users
Discovery Timeline
- 2026-05-18 - CVE-2026-8851 published to the National Vulnerability Database (NVD)
- 2026-05-19 - Last updated in NVD database
- 2026-05-21 - Exploit Prediction Scoring System (EPSS) data published
Technical Details for CVE-2026-8851
Vulnerability Analysis
The vulnerability sits in SOGo's ACL management logic that handles user additions to shared resource permissions. The addUserInAcls endpoint accepts a uid parameter that is concatenated into a SQL statement without proper parameterization or sanitization. An authenticated user with valid SOGo credentials can supply crafted input that breaks out of the intended uid value and appends arbitrary SQL subqueries.
Because SOGo writes the supplied identifier into the sogo_acl table and later returns ACL contents through the /acls API, an attacker can stage extracted data inside that table. The attacker then reads it back over a normal authenticated API call. This pattern functions as out-of-band exfiltration and removes the need for blind or time-based extraction techniques.
Root Cause
The root cause is improper neutralization of special elements in a SQL command [CWE-89]. The uid parameter is interpolated into a query string instead of being bound through prepared statements. SOGo trusts the input for ACL identifiers and does not constrain it to expected character classes or length. The combination of writable persistence in sogo_acl and readable exposure through /acls converts a typical injection primitive into a reliable read channel.
Attack Vector
Exploitation requires network access to the SOGo web interface and a valid authenticated session, consistent with low privilege requirements. The attacker submits a request to addUserInAcls containing a malicious uid value that includes a SQL subquery. The subquery executes inside the database, and its result is stored in sogo_acl. The attacker then issues a request to /acls to read the staged data. No user interaction is required.
No verified proof-of-concept code is available in the referenced advisories. The VulnCheck advisory describes the exploitation pattern in further detail.
Detection Methods for CVE-2026-8851
Indicators of Compromise
- HTTP requests to the addUserInAcls endpoint containing SQL keywords such as SELECT, UNION, FROM, or subquery parentheses in the uid parameter
- Unexpected or malformed entries in the sogo_acl table containing SQL fragments or data values from unrelated tables
- Repeated /acls GET requests immediately following modifications to addUserInAcls
- Authenticated SOGo sessions issuing high volumes of ACL modification requests from a single source
Detection Strategies
- Inspect SOGo web server access logs for uid parameter values containing non-alphanumeric SQL syntax, quotes, or comment sequences
- Audit the sogo_acl table for rows whose identifier columns contain syntactically invalid UIDs or data resembling other table contents
- Enable database query logging on the SOGo backend and alert on queries against sogo_acl that contain nested SELECT statements
- Correlate authenticated user activity patterns to flag accounts that repeatedly target ACL endpoints
Monitoring Recommendations
- Forward SOGo application logs, web server logs, and database audit logs into a centralized SIEM for correlation
- Build alerts on anomalous request rates to /SOGo/so/*/addUserInAcls and /acls URIs
- Track post-authentication behavior of low-privilege SOGo accounts for ACL enumeration patterns
How to Mitigate CVE-2026-8851
Immediate Actions Required
- Upgrade SOGo to version 5.12.8 or later, which contains the official fix from Alinto
- Rotate credentials for any SOGo accounts that could have been used to exploit the issue prior to patching
- Review the sogo_acl table for anomalous entries and remove injected rows
- Restrict network access to the SOGo web interface to trusted clients while patching is in progress
Patch Information
Alinto released SOGo 5.12.8 to remediate this issue. Refer to the GitHub Release SOGo 5.12.8 and the SOGo v5.12.8 Release Announcement for upgrade notes. The VulnCheck Advisory: SOGo SQL Injection provides additional technical context.
Workarounds
- If immediate patching is not feasible, place SOGo behind a web application firewall (WAF) and block requests where the uid parameter contains SQL metacharacters
- Limit access to ACL management endpoints to administrative users through reverse proxy authentication rules
- Disable shared calendar and mailbox features that rely on addUserInAcls until the upgrade is complete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
