HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-45779Published Modified CNA GitHub_M

CVE-2026-45779: Open XDMoD Vulnerable to Unauthenticated SQL Injection Leading to Full Database Compromise

OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to execute arbitrary SQL statements. Exploitation requires no authentication or user interaction and can result in complete compromise of the underlying database. All deployments of Open XDMoD prior to 10.0.3 are impacted. This issue was discovered on 2023-08-03 and patched on 2023-08-04. At this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 10.0.3 on 2023-08-04. As a workaround, apply the patch manually.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

SQL injection vulnerability in Open XDMoD (ubccr/xdmod) allows a remote attacker with no authentication to send crafted HTTP requests that execute arbitrary SQL statements against the underlying database. The CVSS v4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms the service is reachable over the network, requires no credentials, and needs no victim interaction to trigger. Successful exploitation gives the attacker full read, write, and deletion access to all data in the database. Although the description references a patch in Open XDMoD 10.0.3, no fix version has been formally published in this CVE record; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix is confirmed.

HarborGuard Coverage

Detection

Detection of CVE-2026-45779 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including internally built images that bundle Open XDMoD or the ubccr/xdmod package. Any image in a customer registry or CI/CD pipeline carrying an affected version is flagged automatically.

Available
Triage

Triage is available with the full CVSS v4.0 score of 9.3 (CRITICAL) surfaced alongside per-environment compliance policy weighting, so findings are prioritized and routed to the appropriate team inbox within each customer organization. Customers with custom severity thresholds or regulatory overlays see this finding weighted accordingly before it reaches the queue.

Available
Patch

Because no fix version has been formally confirmed in this CVE record, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment upstream publishes a verified fix. In the interim, the advisory remains open and visible in the findings dashboard so affected images are not silently deprioritized.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable service must be reachable over the network; an attacker sends crafted requests from anywhere with IP connectivity to the target (AV:N).

  • AuthenticationNot required

    No credentials of any privilege level are needed; the injection endpoint is fully accessible to unauthenticated requests (PR:N).

  • Victim interactionNot required

    The attack is entirely attacker-driven; no user on the target system needs to click, open, or approve anything (UI:N).

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are required (AC:L/AT:N).

Blast Radius

  • Reads all data stored in the Open XDMoD database, including HPC job records, user account details, and any stored credentials or tokens (VC:H).
  • Writes or overwrites arbitrary database rows, enabling modification of job metrics, user roles, or configuration data (VI:H).
  • Deletes or corrupts database contents, causing loss of historical HPC data and potential service failure (VA:H).
  • Scope is contained to the local system; the CVSS vector shows no confirmed lateral impact to adjacent systems or services (SC:N/SI:N/SA:N).

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked at CRITICAL severity and flagged against any image containing an affected version of ubccr/xdmod below 10.0.3. Because no fix version has been formally registered in the CVE record, HarborGuard will monitor the advisory on every ingest cycle and make a patched-image rebuild available automatically once an upstream fix is confirmed; for customers with auto-remediation enabled, that triggers a rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention. In the meantime, compensating controls are worth considering: network-policy isolation can restrict inbound access to the Open XDMoD service to known internal IP ranges, egress filtering can limit what the database process can reach if the injection is used to exfiltrate data outbound, and teams who can apply the upstream patch manually (as noted in the advisory) should do so immediately given the zero-barrier exploitability of this vulnerability.

See how HarborGuard automates this
Affected packages
  • ubccr / xdmod
    < 10.0.3
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References