Vulnerability Description
SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQL code to write extracted data into the sogo_acl table and retrieve it through the /acls API, establishing an out-of-band data exfiltration channel.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.8
- https://www.sogo.nu/news/2026/sogo-v5128-released.html
- https://www.vulncheck.com/advisories/sogo-sql-injection-via-adduserinacls-endpoi
FAQ
What is CVE-2026-8851?
CVE-2026-8851 is a vulnerability with a CVSS score of 8.1 (HIGH). SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by...
How severe is CVE-2026-8851?
CVE-2026-8851 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-8851?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.