How is CVE-2026-40546 exploited?

Network reachability (required): The attacker must be able to reach the SOPlanning service over the network; no local or physical access to the host is necessary. Authentication (required): Any low-privilege account is sufficient; no administrative or elevated credentials are needed to reach the vulnerable endpoints. Victim interaction (not-required): The attacker can exploit the vulnerability entirely on their own without any action from a user or administrator. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions or special environmental prerequisites required.

What is the impact of CVE-2026-40546?

Reads all data stored in the database, including user credentials, session tokens, scheduling records, and any other persisted application data. Modifies or deletes persisted database rows, enabling tampering with planning records, user accounts, or application configuration. The availability impact is rated low, meaning the database service remains largely operational but may experience degraded performance or partial disruption under sustained injection activity. Because scope is limited to the local application component, the injections do not directly pivot to adjacent systems or services.

Back to search

HIGHCVE-2026-40546Published 2026-06-01Modified 2026-06-01CNA CERT-PL

CVE-2026-40546: Multiple SQL Injections in SOPlanning

SOPlanning is vulnerable to SQL Injection across multiple endpoints and parameters. Attacker with low privileges can inject arbitrary SQL commands, potentially gaining full control over the database. This issue affects SOPlanning version 1.55 and below.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Multiple SQL injection vulnerabilities affect SOPlanning version 1.55 and below across several endpoints and parameters. An attacker can reach the vulnerable service over the network using any low-privilege account, with no victim interaction required, and inject arbitrary SQL commands into the database. Successful exploitation gives the attacker full read and write access to database contents, including all stored records. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that package SOPlanning 1.55 or earlier. Any image found to carry an affected version is flagged immediately in the customer's scan results.

Available

Triage

HarborGuard scores this CVE at 8.7 (HIGH) using the CVSS v4.0 vector and can weight the finding against each environment's compliance policy to set urgency and route the alert to the appropriate team inbox within the customer org.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without requiring manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the SOPlanning service over the network; no local or physical access to the host is necessary.
AuthenticationRequired
Any low-privilege account is sufficient; no administrative or elevated credentials are needed to reach the vulnerable endpoints.
Victim interactionNot required
The attacker can exploit the vulnerability entirely on their own without any action from a user or administrator.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or special environmental prerequisites required.

Blast Radius

Reads all data stored in the database, including user credentials, session tokens, scheduling records, and any other persisted application data.
Modifies or deletes persisted database rows, enabling tampering with planning records, user accounts, or application configuration.
The availability impact is rated low, meaning the database service remains largely operational but may experience degraded performance or partial disruption under sustained injection activity.
Because scope is limited to the local application component, the injections do not directly pivot to adjacent systems or services.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked and matched against all images in customer registries and build pipelines. Because no upstream fix has been published for SOPlanning 1.55 or below, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment an upstream release is available. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger automatically without manual intervention. In the interim, compensating controls worth considering include restricting network access to the SOPlanning service via Kubernetes network policy or firewall rules to limit the pool of accounts that can reach the vulnerable endpoints, and applying egress filtering to contain any outbound traffic that a successful injection might attempt to initiate.

See how HarborGuard automates this

Affected packages

SOPlanning / SOPlanning
≤ 1.55

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

References

Metrics

Get notified