CVE-2026-55721: SQL Injection in StoneFly Storage Concentrator
Storage Concentrator (SC & SCVM) is vulnerable to SQL injection through cookie values processed by the login.pl and debug.pl scripts. The cookie value is incorporated directly into database queries without adequate sanitization, allowing an unauthenticated remote attacker to manipulate those queries and extract sensitive information from the underlying database, including session tokens, password hashes, and stored secret keys.
Metrics
- CVSS v4.0
- 9.2
- Severity
- CRITICAL
- Fixed in
- 8.0.4.22
- Affected Products
- 2
HarborGuard Analysis
Synopsis
SQL injection in StoneFly Storage Concentrator (SC and SCVM) allows an unauthenticated remote attacker to manipulate database queries through unsanitized cookie values processed by the login.pl and debug.pl scripts. The vulnerability is reachable over the network with no credentials required and no victim interaction needed. Successful exploitation gives the attacker read access to session tokens, password hashes, and stored secret keys, and limited write access to the underlying database. Patched-image rebuilds at versions 8.0.4.22 and 8.0.4.29 are available on HarborGuard for affected environments.
HarborGuard Coverage
Detection for CVE-2026-55721 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built variants of the Storage Concentrator. Any image running a version below 8.0.4.22 will be flagged in registry scans and CI/CD pipeline checks automatically.
AvailableHarborGuard scores this CVE at CVSS 9.2 Critical and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild at versions 8.0.4.22 and 8.0.4.29 is available on HarborGuard for any environment running an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the Storage Concentrator service over the network; the vulnerable scripts are exposed via standard HTTP/HTTPS endpoints.
- AuthenticationNot required
No credentials are needed; the injection point is the cookie header processed before any authentication check, so the attacker requires no account on the target system.
- Victim interactionNot required
The attacker sends a crafted HTTP request directly to the target; no user action or social engineering is required.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of the target environment beyond network access.
Blast Radius
- Reads session tokens stored in the database, enabling session hijacking against authenticated users.
- Reads password hashes and stored secret keys, which can be cracked offline or used directly to escalate access.
- Writes limited modifications to persisted database rows in the directly affected system (low integrity impact on the Storage Concentrator itself).
- Reads data from systems that the Storage Concentrator database has trust relationships with, extending the confidentiality exposure beyond the immediate host (high confidentiality impact on downstream or connected components).
How HarborGuard Handles This
Available on HarborGuard: detection for this Critical SQL injection fires within minutes of CVE publication for any customer image running Storage Concentrator below version 8.0.4.22. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the fixed version, runs a regression test, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For customers who review patches manually before merge, the rebuilt image is staged and the finding is routed with full CVSS context and fix-version detail to the owning team. Given the combination of network exposure, zero authentication required, and direct access to session tokens and credential material, treating this as immediate priority is warranted regardless of compensating controls.
Fix available
- StoneFly / Storage Concentrator< 8.0.4.22 (from 0)Fixed in 8.0.4.29
- StoneFly / Storage Concentrator Virtual Machine< 8.0.4.22 (from 0)Fixed in 8.0.4.29
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N