HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-55721Published Modified CNA icscert

CVE-2026-55721: SQL Injection in StoneFly Storage Concentrator

Storage Concentrator (SC & SCVM) is vulnerable to SQL injection through cookie values processed by the login.pl and debug.pl scripts. The cookie value is incorporated directly into database queries without adequate sanitization, allowing an unauthenticated remote attacker to manipulate those queries and extract sensitive information from the underlying database, including session tokens, password hashes, and stored secret keys.

Metrics

CVSS v4.0
9.2
Severity
CRITICAL
Fixed in
8.0.4.22
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

SQL injection in StoneFly Storage Concentrator (SC and SCVM) allows an unauthenticated remote attacker to manipulate database queries through unsanitized cookie values processed by the login.pl and debug.pl scripts. The vulnerability is reachable over the network with no credentials required and no victim interaction needed. Successful exploitation gives the attacker read access to session tokens, password hashes, and stored secret keys, and limited write access to the underlying database. Patched-image rebuilds at versions 8.0.4.22 and 8.0.4.29 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection for CVE-2026-55721 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built variants of the Storage Concentrator. Any image running a version below 8.0.4.22 will be flagged in registry scans and CI/CD pipeline checks automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.2 Critical and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at versions 8.0.4.22 and 8.0.4.29 is available on HarborGuard for any environment running an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Storage Concentrator service over the network; the vulnerable scripts are exposed via standard HTTP/HTTPS endpoints.

  • AuthenticationNot required

    No credentials are needed; the injection point is the cookie header processed before any authentication check, so the attacker requires no account on the target system.

  • Victim interactionNot required

    The attacker sends a crafted HTTP request directly to the target; no user action or social engineering is required.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of the target environment beyond network access.

Blast Radius

  • Reads session tokens stored in the database, enabling session hijacking against authenticated users.
  • Reads password hashes and stored secret keys, which can be cracked offline or used directly to escalate access.
  • Writes limited modifications to persisted database rows in the directly affected system (low integrity impact on the Storage Concentrator itself).
  • Reads data from systems that the Storage Concentrator database has trust relationships with, extending the confidentiality exposure beyond the immediate host (high confidentiality impact on downstream or connected components).

How HarborGuard Handles This

Available on HarborGuard: detection for this Critical SQL injection fires within minutes of CVE publication for any customer image running Storage Concentrator below version 8.0.4.22. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the fixed version, runs a regression test, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For customers who review patches manually before merge, the rebuilt image is staged and the finding is routed with full CVSS context and fix-version detail to the owning team. Given the combination of network exposure, zero authentication required, and direct access to session tokens and credential material, treating this as immediate priority is warranted regardless of compensating controls.

See how HarborGuard automates this

Fix available

8.0.4.228.0.4.29
Affected packages
  • StoneFly / Storage Concentrator
    < 8.0.4.22 (from 0)
    Fixed in 8.0.4.29
  • StoneFly / Storage Concentrator Virtual Machine
    < 8.0.4.22 (from 0)
    Fixed in 8.0.4.29
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N