OpenSTAManager SQL Injection (CVE-2026-35168)

Overview

A critical SQL injection vulnerability, tracked as CVE-2026-35168, exists in the OpenSTAManager technical assistance and invoicing software. The flaw is located in the ‘Aggiornamenti’ (Updates) module and allows authenticated attackers to execute arbitrary SQL commands directly on the underlying MySQL database.

Vulnerability Details

In versions prior to 2.10.2, the database conflict resolution feature (op=risolvi-conflitti-database) accepts a raw JSON array of SQL statements via a POST request. The application passes these statements directly to the database without any validation, sanitization, or allowlist filtering. Furthermore, the feature explicitly disables foreign key checks (SET FOREIGN_KEY_CHECKS=0), removing a key database integrity safeguard. An attacker with access to this module-requiring only low-privilege authentication-can submit any SQL command the MySQL server supports.

Impact and Risks

This vulnerability grants an attacker full control over the application’s database. The potential consequences are severe:

• Data Theft: An attacker can exfiltrate sensitive information, including customer data, financial records, and internal business information. For context on the impact of such data leaks, recent incidents are detailed in our breach reports.
• Data Destruction or Manipulation: Attackers can use commands like DROP, ALTER, DELETE, or UPDATE to destroy, corrupt, or fraudulently modify data.
• System Compromise: Commands like SELECT INTO OUTFILE can be used to write files to the server, potentially leading to a full system takeover or the deployment of persistent backdoors.

Remediation and Mitigation

The primary and only complete mitigation is to update the software immediately.

1. Patch: Upgrade OpenSTAManager to version 2.10.2 or later. This update patches the vulnerability by implementing proper input validation and security controls.
2. Access Control: As a temporary measure if patching is delayed, restrict network access to the OpenSTAManager interface and ensure all user accounts follow the principle of least privilege. However, this does not eliminate the risk from any authenticated user.

Stay informed on emerging threats by following the latest security news.

Security Insight

This vulnerability is a stark example of the risks inherent in building administrative “backdoor” features that bypass normal security layers. The deliberate disabling of foreign key checks to facilitate raw SQL execution reflects a development priority of convenience over security, a pattern seen in similar past incidents with other management software. It underscores the critical need for security reviews of all data-handling endpoints, especially those intended for internal troubleshooting.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs