CVE-2026-34101: Guardian Language-System Unauthenticated SQL Injection via id Parameter in text_file.php
Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in text_file.php (line 17): SELECT id, filename, extension, type, duration, owner, private FROM files where id = '\".$_GET['id'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated SQL injection vulnerability affects Guardian language-system, a PHP-based file management component. The application passes the id GET parameter directly into a raw SQL query in text_file.php without any sanitization or parameterization, allowing a remote attacker to manipulate the query structure. Successful exploitation gives an attacker full read and write access to the underlying database, including all stored file records, user data, and any other persisted content. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-34101 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Guardian language-system at or before commit e42c395ec4b03fe62973a669c9209a673838b8a4. Coverage applies to images in both registry scans and active CI/CD pipeline checks.
AvailableHarborGuard scores this CVE at 9.3 CRITICAL using the CVSS v4.0 vector and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableNo upstream fix has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix or patched release is confirmed. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint in text_file.php is exposed over the network, so an attacker must be able to reach the web service via HTTP or HTTPS.
- AuthenticationNot required
No credentials are required; the id parameter is accessible to unauthenticated requests, meaning any anonymous caller can submit a crafted payload.
- Victim interactionNot required
The attacker sends a crafted GET request directly to the server; no user action or social engineering is needed.
- Attack complexityDetail
Exploitation is straightforward and condition-free, with no race conditions or special environmental state required to land a working injection payload.
Blast Radius
- An attacker reads the full contents of the files table, including filenames, extensions, types, durations, owner identifiers, and private-flag values.
- Error-based SQL injection techniques allow enumeration of other database tables, extracting credentials, session tokens, or any other persisted application data.
- An attacker with write capability through stacked queries or writable SQL features can modify or delete database rows, corrupting stored records.
- Full database compromise disrupts service availability by dropping tables or flooding the backend with expensive injected queries, crashing dependent application features.
How HarborGuard Handles This
Available on HarborGuard: images containing Guardian language-system at or before the affected commit are flagged at CRITICAL severity immediately upon scan, with findings routed per each customer organization's compliance policy. Because no upstream fix currently exists, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild the moment a fix is published upstream. For customers with auto-remediation enabled, that rebuild will be followed by an automated regression run and a PR opened against affected workloads without requiring manual action. In the interim, compensating controls worth evaluating include placing a web application firewall rule to reject requests with SQL metacharacters in the id parameter, restricting network-policy access to the text_file.php endpoint to trusted internal sources only, and disabling the affected route via application feature-flag or server configuration if the functionality is not actively needed.
- guardian / language-system≤ e42c395ec4b03fe62973a669c9209a673838b8a4
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N