How is CVE-2026-12076 exploited?

Network reachability (required): The attacker must be able to reach the Raytha HTTP service over the network; no prior foothold on the host is needed. Authentication (not-required): The OData filter endpoint is exposed without authentication, so any unauthenticated client can send a malicious payload. Victim interaction (not-required): The attack is fully server-side; no user needs to click a link or take any action for exploitation to succeed. Attack complexity (info): Attack complexity is low: the exploit is reliable and condition-free, requiring no race conditions, memory-layout knowledge, or special environmental state.

What is the impact of CVE-2026-12076?

Reads all data stored in the PostgreSQL database, including hashed or plaintext credentials, session tokens, and application records. Modifies or deletes arbitrary database rows, enabling content tampering, account takeover, or wholesale data destruction. Extracts credentials that may enable lateral movement into other internal systems if passwords are reused. Crashes or corrupts database state in ways that bring the Raytha application offline.

Back to search

CRITICALCVE-2026-12076Published 2026-06-30Modified 2026-06-30CNA CERT-PL

CVE-2026-12076: SQL Injection in Raytha CMS

Raytha CMS is vulnerable to SQL Injection within the OData filter parsing pipeline. The vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL statements against the underlying PostgreSQL database, leading to full database compromise, including credential extraction. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 1.5.2 but may also affect other versions.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection in Raytha CMS (version 1.5.2 confirmed) allows a remote, unauthenticated attacker to execute arbitrary SQL statements against the underlying PostgreSQL database by sending crafted OData filter parameters over the network. No authentication or victim interaction is required. Successful exploitation gives the attacker full read, write, and destructive access to every row in the database, including stored credentials. No fix version has been published; HarborGuard tracks the advisory and will make a patched rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-12076 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Raytha. Affected image layers are flagged in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard scores this CVE at 9.3 CRITICAL using the CVSS v4.0 vector and weights findings against each customer environment's configured compliance policy. Triage alerts are routed to the team inbox or ticket queue defined in the customer's notification settings, prioritizing this finding appropriately given its unauthenticated, network-reachable attack surface.

Available

Patch

Because no fix version has been published by the vendor, no patched-image rebuild is currently available. HarborGuard re-evaluates the upstream advisory on every ingest cycle; the moment a patch is released, a rebuilt image becomes available and, for customers with auto-remediation enabled, a regression run and PR against affected workloads are opened automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Raytha HTTP service over the network; no prior foothold on the host is needed.
AuthenticationNot required
The OData filter endpoint is exposed without authentication, so any unauthenticated client can send a malicious payload.
Victim interactionNot required
The attack is fully server-side; no user needs to click a link or take any action for exploitation to succeed.
Attack complexityDetail
Attack complexity is low: the exploit is reliable and condition-free, requiring no race conditions, memory-layout knowledge, or special environmental state.

Blast Radius

Reads all data stored in the PostgreSQL database, including hashed or plaintext credentials, session tokens, and application records.
Modifies or deletes arbitrary database rows, enabling content tampering, account takeover, or wholesale data destruction.
Extracts credentials that may enable lateral movement into other internal systems if passwords are reused.
Crashes or corrupts database state in ways that bring the Raytha application offline.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12076 is active for all images containing Raytha 1.5.2, with findings surfaced in registry scan results and pipeline gates. Because the vendor has not published a fix (CERT-PL noted unsuccessful contact attempts), no patched rebuild is currently available. While waiting for an upstream patch, customers can apply compensating controls: restrict network ingress to the Raytha OData endpoint using Kubernetes NetworkPolicy or equivalent firewall rules, place an authenticated reverse proxy or WAF rule in front of the endpoint to block unsanitized OData filter expressions, and treat any stored database credentials as potentially compromised if the service has been externally reachable. HarborGuard monitors the advisory on every ingest cycle; as soon as an upstream fix is published, a patched-image rebuild will become available, and customers with auto-remediation enabled will receive a rebuild, a regression test run, and a PR opened against affected workloads.

See how HarborGuard automates this

Affected packages

Raytha / Raytha
1.5.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified