CVE-2026-8851
Publication date 18 May 2026
Last updated 22 May 2026
Ubuntu priority
Description
SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQL code to write extracted data into the sogo_acl table and retrieve it through the /acls API, establishing an out-of-band data exfiltration channel.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| sogo | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.1 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-8851
- https://github.com/Alinto/sogo/commit/f9b71059f4f382d7b337d16ce1257443ade43d02 (SOGo-5.12.8)
- https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.8
- https://www.sogo.nu/news/2026/sogo-v5128-released.html
- https://www.vulncheck.com/advisories/sogo-sql-injection-via-adduserinacls-endpoint