How is CVE-2026-38812 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the service via HTTP/HTTPS to deliver the malicious payload. Authentication (not-required): The CVSS vector assigns PR:N, indicating no credentials are required, though the vulnerability description notes the affected endpoint may in practice be accessible only to admin-privileged accounts. Victim interaction (not-required): No victim interaction is needed; the attacker can send a crafted request directly to the endpoint without any user action. Attack complexity (info): Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no special conditions, race wins, or environmental setup beyond network access to the endpoint.

What is the impact of CVE-2026-38812?

Reads arbitrary data from the underlying database, including stored credentials, session tokens, and application configuration records. Modifies or deletes persisted database rows, enabling tampering with application data or user accounts. Crashes or degrades the database service, causing a denial of service for all application functions that depend on it. Exposes the full schema and contents of any database accessible to the application's database user.

Back to search

CRITICALCVE-2026-38812Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-38812: RuoYi v4

RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection in RuoYi v4.8.2 affects the code generation module's /tool/gen/createTable endpoint. The vulnerability is reachable over the network and, based on the CVSS vector, requires no authentication, though the description notes an admin-privileged account may be involved in practice. Successful exploitation gives an attacker read and write access to the underlying database and can disrupt service availability. No fix version has been published; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-38812 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images derived from RuoYi v4.8.2 base layers.

Available

Triage

HarborGuard is capable of scoring this CVE at 9.8 CRITICAL (CVSS v3.1) and weighting that score against each environment's compliance policy to determine urgency; findings are routable to the appropriate team inbox within a customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, customers can apply compensating controls through HarborGuard network-policy recommendations to restrict access to the affected endpoint.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the service via HTTP/HTTPS to deliver the malicious payload.
AuthenticationNot required
The CVSS vector assigns PR:N, indicating no credentials are required, though the vulnerability description notes the affected endpoint may in practice be accessible only to admin-privileged accounts.
Victim interactionNot required
No victim interaction is needed; the attacker can send a crafted request directly to the endpoint without any user action.
Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no special conditions, race wins, or environmental setup beyond network access to the endpoint.

Blast Radius

Reads arbitrary data from the underlying database, including stored credentials, session tokens, and application configuration records.
Modifies or deletes persisted database rows, enabling tampering with application data or user accounts.
Crashes or degrades the database service, causing a denial of service for all application functions that depend on it.
Exposes the full schema and contents of any database accessible to the application's database user.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-38812 is active across all connected registries and pipelines for images running RuoYi v4.8.2. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger an automated patched-image rebuild as soon as a fix version is published; for customers with auto-remediation enabled, that rebuild is followed by a regression-test run and a PR opened against affected workloads. While no patch is available, customers can use HarborGuard policy controls to flag or block deployment of affected images, apply network-policy isolation to restrict access to the /tool/gen/createTable endpoint to trusted internal networks only, and gate the code-generation module behind additional access controls at the infrastructure layer.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

github.com

Metrics

Get notified