CVE-2026-34100: Guardian Language-System Unauthenticated SQL Injection via id Parameter in media.php
Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in media.php (line 17): SELECT id, filename, extension, type, duration, owner, private FROM files where id = '\".$_GET['id'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Unauthenticated SQL injection in Guardian language-system allows a remote attacker to query the database without any credentials. The vulnerability is reachable over the network with no authentication required, as the id GET parameter in media.php is passed directly into a SQL query without sanitization. Successful exploitation gives the attacker full read and write access to the database, and can also disrupt service availability. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection of CVE-2026-34100 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from Guardian language-system.
AvailableHarborGuard scores this CVE at 9.3 CRITICAL using the CVSS v4.0 vector and can weight that score against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within the customer org based on configured notification rules.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention once a fix version exists.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable media.php endpoint is exposed over the network, so an attacker must be able to reach the service via HTTP to send a crafted id parameter.
- AuthenticationNot required
No credentials of any kind are needed; the vulnerable GET parameter is processed before any authentication check, making the attack fully anonymous. Note: the description mentions an authenticated attacker, but the CVSS vector records PR:N indicating no privileges are required.
- Victim interactionNot required
The attacker sends a direct HTTP request to the endpoint and no user action or interaction is involved.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race windows, or environmental factors to succeed.
Blast Radius
- Reads all data stored in the database, including file metadata, owner identifiers, and any other tables reachable via the injected query.
- Modifies or deletes persisted database rows, allowing an attacker to corrupt records or escalate access by altering stored credentials or permissions.
- Crashes or destabilizes the database service through destructive SQL statements, causing availability loss for the application.
- Extracts credentials or session data stored in the database, enabling further lateral movement within the application or connected systems.
How HarborGuard Handles This
Available on HarborGuard: scanning for CVE-2026-34100 is active across all environments where Guardian language-system images are present, with detection firing within minutes of the CVE's publication. Because no upstream fix exists as of the publication date, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is released. For customers with auto-remediation enabled, that flow includes a regression test run and a PR opened against affected workloads with no manual steps required. In the interim, compensating controls are worth considering: network-policy rules that restrict external access to the media.php endpoint, egress filtering on the database host to limit the blast radius of a successful injection, and feature-flag or WAF rules that block or sanitize the id query parameter at the edge. Customers should monitor HarborGuard advisory tracking for this CVE and configure alert routing so the right team is notified the moment a fix becomes available.
- guardian / language-system≤ e42c395ec4b03fe62973a669c9209a673838b8a4
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N