How is CVE-2026-44521 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the elFinder web service via HTTP or HTTPS. Authentication (required): A valid user account is sufficient; even low-privilege or read-only accounts can supply the crafted file hash that triggers the injection. Victim interaction (not-required): The attacker sends a crafted request directly to the server; no action from another user or administrator is needed. Attack complexity (info): Exploitation is straightforward and condition-free; no race conditions, special memory layout, or environmental prerequisites are required to inject SQL reliably.

What is the impact of CVE-2026-44521?

Reads arbitrary rows from the MySQL database backing elFinder, which may include stored credentials, file metadata, and application configuration. Discloses data from any table reachable by the database user configured for the MySQL volume driver, potentially extending beyond the elFinder schema. Causes denial of service by injecting queries that lock tables or exhaust database connections, making the file manager and dependent services unavailable. Integrity impact is rated High in the CVSS vector, meaning an attacker can modify or delete persisted database rows if the configured database account permits write operations.

Back to search

HIGHCVE-2026-44521Published 2026-05-27Modified 2026-05-27CNA GitHub_M

CVE-2026-44521: elFinder: SQL Injection MySQL Volume Driver (elFinderVolumeMySQL)

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.68, an authenticated SQL injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized data disclosure and denial of service. This vulnerability only affects installations configured to use the MySQL volume driver. This vulnerability is fixed in 2.1.68.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authenticated SQL injection vulnerability in elFinder, the open-source web file manager, specifically within its MySQL volume driver (elFinderVolumeMySQL). The flaw is reachable over the network and requires only a low-privilege, logged-in account; any authenticated user, including read-only users, can craft a malicious file hash that injects SQL into the underlying database. Successful exploitation gives an attacker unauthorized read access to database contents and the ability to disrupt the service. Note: the description states the fix is version 2.1.68, but no patched release has been formally published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle elFinder. Affected image layers are flagged regardless of where they appear in the registry or CI pipeline.

Available

Triage

HarborGuard's triage pipeline scores this finding at CVSS 8.8 (HIGH) using the published v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix has been formally published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a confirmed fix version is released. In the interim, customers can apply compensating controls through HarborGuard's policy engine to flag or block deployment of images containing the affected elFinder versions.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the elFinder web service via HTTP or HTTPS.
AuthenticationRequired
A valid user account is sufficient; even low-privilege or read-only accounts can supply the crafted file hash that triggers the injection.
Victim interactionNot required
The attacker sends a crafted request directly to the server; no action from another user or administrator is needed.
Attack complexityDetail
Exploitation is straightforward and condition-free; no race conditions, special memory layout, or environmental prerequisites are required to inject SQL reliably.

Blast Radius

Reads arbitrary rows from the MySQL database backing elFinder, which may include stored credentials, file metadata, and application configuration.
Discloses data from any table reachable by the database user configured for the MySQL volume driver, potentially extending beyond the elFinder schema.
Causes denial of service by injecting queries that lock tables or exhaust database connections, making the file manager and dependent services unavailable.
Integrity impact is rated High in the CVSS vector, meaning an attacker can modify or delete persisted database rows if the configured database account permits write operations.

How HarborGuard Handles This

Available on HarborGuard: because no formally published upstream fix exists for this CVE as of the publication date, HarborGuard continuously re-checks the advisory on every ingest cycle and will surface a patched-image rebuild the moment Studio-42 publishes a confirmed release. In the meantime, customers can use HarborGuard's policy engine to flag or block promotion of any image containing elFinder versions below 2.1.68, preventing affected images from reaching staging or production. Compensating controls worth considering include network-policy isolation to restrict which internal services can reach the elFinder endpoint, and disabling the MySQL volume driver in the elFinder configuration if that storage backend is not required. For customers who opt into auto-remediation, a rebuild and regression run will be triggered automatically and a PR will be opened against affected workloads as soon as a fix version is confirmed upstream.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Studio-42 / elFinder
< 2.1.68

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/Studio-42/elFinder/security/advisories/GHSA-c3gj-q88f-7hqj