HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48114Published Modified CNA GitHub_M

CVE-2026-48114: Metacat has an unauthenticated SQL injection vulnerability

Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the /harvesterRegistration endpoint. HarvesterRegistration.dbInsert() builds an INSERT against HARVEST_SITE_SCHEDULE via string concatenation, using a quoteString() helper that performs raw single-quote wrapping without escaping. Three request parameters reach the sink: unit, contactEmail, and documentListURL. The servlet does not verify a real LDAP identity. Allowing the vulnerable insert to proceed. Since the PostgreSQL backend permits stacked queries via Statement.executeUpdate(), this vulnerability allows full read/write/execute access in the Metacat database context. The vulnerability was remediated in Metacat 3.0.0.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability exists in Metacat, the NCEAS data repository software, affecting versions 2.0.0 through 2.x (fixed in 3.0.0). The flaw is reachable over the network with no credentials required: the /harvesterRegistration endpoint passes attacker-controlled request parameters directly into a raw SQL INSERT via unsafe string concatenation, bypassing the intended LDAP identity check. Successful exploitation gives an attacker full read, write, and query-execution access to the underlying PostgreSQL database. A patched-image rebuild at Metacat 3.0.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that package Metacat, across all connected registries and CI pipelines.

Available
Triage

HarborGuard scores this finding at CVSS 9.8 Critical (v3.1) and is capable of weighting it further against each environment's compliance policy before routing the alert to the appropriate team inbox within the customer organization.

Available
Patch

A patched-image rebuild at Metacat 3.0.0 becomes available on HarborGuard for any image found to carry an affected version (2.0.0 through 2.x). For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable /harvesterRegistration endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the Metacat service.

  • AuthenticationNot required

    The servlet does not enforce LDAP identity verification, so no account or session token is needed to reach the injection sink.

  • Victim interactionNot required

    The attack is fully server-side; no user action, click, or social-engineering step is required.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: crafting a malicious request parameter requires no race condition, memory layout knowledge, or environmental setup.

Blast Radius

  • Reads all data stored in the Metacat PostgreSQL database, including research datasets, user records, and configuration tables.
  • Modifies or deletes persisted database rows, including schedule records, dataset metadata, and access-control entries.
  • Executes stacked SQL statements via Statement.executeUpdate(), enabling the attacker to invoke database-level functions and alter schema objects.
  • Combines read and write access to exfiltrate sensitive researcher contact information and corrupt or destroy the integrity of stored scientific data.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-48114 is active across all connected registries and pipelines, matching any image that bundles Metacat 2.0.0 through 2.x within minutes of the advisory being published. Because Metacat 3.0.0 carries the upstream fix, a patched-image rebuild at that version is available for any environment found running an affected image. For customers who opt into auto-remediation, HarborGuard can execute the full flow: rebuild the image at the fixed version, run regression tests, and open a pull request against affected workloads. Given the Critical severity (CVSS 9.8) and the absence of any authentication barrier, treating this as highest priority is warranted; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where auto-remediation is not enabled, HarborGuard surfaces the finding with full CVSS detail and fix-version guidance so teams can act manually.

See how HarborGuard automates this
Affected packages
  • NCEAS / metacat
    >= 2.0.0, < 3.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References