CVE-2026-50636: LimeSurvey RemoteControl invite_participants/remind_participants SQL Injection
The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or input validation. A remote, authenticated attacker holding the tokens/update permission on a survey can inject a crafted array element to perform SQL injection. Because LimeSurvey configures its PDO connection with emulated prepared statements (emulatePrepare = true) and does not disable MySQL multi-statements, the injection supports stacked queries: the attacker can append arbitrary additional statements (INSERT/UPDATE/DELETE/DROP/CREATE) after the original SELECT. This permits both arbitrary read of any data in the database, such as administrator bcrypt password hashes (lime_users), survey response PII, session records, and global settings, all recoverable via a SLEEP() time-based blind oracle, and arbitrary write/destruction of that data, including directly overwriting the administrator password hash for immediate account takeover or dropping/truncating tables. Reads and writes extend to any schema the application's database user can access. The RemoteControl interface (RPCInterface = json/xml) must be enabled, which is not the default.
Metrics
- CVSS v4.0
- 8.7
- Severity
- HIGH
- Fixed in
- 7.0.1
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a SQL injection vulnerability in the LimeSurvey RemoteControl API, specifically in the invite_participants and remind_participants methods. An authenticated attacker with tokens/update permission on a survey can reach the flaw over the network and inject crafted input into an unsanitized SQL clause, with stacked-query support enabling both arbitrary data reads and arbitrary writes to the database. Successful exploitation gives the attacker full read access to database contents (including administrator password hashes and survey PII) and full write access, up to and including direct account takeover or table destruction. A patched-image rebuild at version 7.0.1 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-50636 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle LimeSurvey. Coverage applies regardless of whether the image is pulled from a public registry or built internally.
AvailableHarborGuard scores this CVE at 8.7 HIGH using the CVSS v4.0 vector from the record, and that score is available as a weighted signal inside each customer environment's compliance policy. Triage findings are routed to the team inbox or ticketing integration configured for each organization, so the right engineers see the alert without manual sorting.
AvailableA patched-image rebuild targeting LimeSurvey 7.0.1 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the LimeSurvey RemoteControl API endpoint over the network; the CVSS vector specifies AV:N, meaning network exposure is a precondition.
- AuthenticationRequired
A valid account holding the tokens/update permission on at least one survey is needed; any low-privilege account with that grant is sufficient (PR:L).
- Victim interactionNot required
No user action or social engineering is needed; the attacker interacts directly with the API endpoint (UI:N).
- Attack complexityDetail
Attack complexity is low (AC:L): the injection is reliable and requires no race conditions, special memory layout, or other environmental factors to trigger.
Blast Radius
- Reads any data the application database user can access, including administrator bcrypt password hashes from lime_users, survey response PII, session records, and global settings, recoverable via time-based blind injection even without direct output channels.
- Writes or destroys arbitrary database rows, including overwriting the administrator password hash for immediate account takeover.
- Drops or truncates tables, causing permanent data loss and application failure.
- Extends read and write access to any other schema accessible to the LimeSurvey database user, not only the LimeSurvey schema itself.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any image found to include an affected LimeSurvey version, covering both registry-hosted and pipeline-built images. For environments with auto-remediation enabled, HarborGuard can rebuild the image at the fixed version (7.0.1), run regression tests, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in such environments. Where compliance policy requires manual approval, the rebuilt image and diff are staged and waiting for engineer sign-off. Until a rebuild is deployed, consider restricting access to the RemoteControl API at the network layer (the interface is disabled by default and should remain so unless explicitly required) and reviewing which accounts hold the tokens/update permission to reduce the set of principals who could exploit this path.
- LimeSurvey / LimeSurvey≤ 7.0Fixed in 7.0.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N