CVE-2026-8851 Alinto CVE debrief

Who should care

Organizations running SOGo versions 5.12.7 or earlier for email and groupware services; security teams responsible for database-backed web applications; administrators managing SOGo deployments with multi-user ACL configurations

Technical summary

The vulnerability exists in SOGo's Access Control List management functionality, specifically the `addUserInAcls` endpoint. The `uid` parameter accepts unsanitized input that can be manipulated to inject SQL subqueries. This allows authenticated attackers with low privileges to: (1) inject malicious SQL to extract arbitrary data from the database, (2) write extracted data into the `sogo_acl` table as a staging area, and (3) retrieve the exfiltrated data through legitimate `/acls` API calls. The attack requires network access and valid authentication credentials but no user interaction. The CVSS 4.0 score of 8.6 reflects high confidentiality and integrity impacts with a network attack vector and low attack complexity.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade to SOGo 5.12.8 or later to remediate the SQL injection vulnerability
• Review and restrict access to ACL management functionality to trusted administrative users only
• Monitor database query logs for anomalous SQL subqueries or unexpected writes to the sogo_acl table
• Implement Web Application Firewall rules to detect and block SQL injection patterns in the uid parameter of addUserInAcls requests
• Audit existing sogo_acl table entries for unauthorized data that may have been exfiltrated prior to patching
• Validate input sanitization on all SOGo API endpoints handling database queries

Evidence notes

Vulnerability confirmed through official SOGo release notes and VulnCheck advisory. CWE-89 (SQL Injection) classification provided by disclosure source. Fix version 5.12.8 explicitly mentioned in vendor release materials.

Official resources