PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31069 BillaBear CVE debrief

CVE-2026-31069 is a high-severity SQL injection in BillaBear's EventRepository. The issue comes from direct interpolation of user-controlled metric filter names and aggregation properties into SQL via sprintf(), while only the filter values are parameterized. Because the identifiers are not sanitized or quoted, an authenticated attacker with ROLE_ACCOUNT_MANAGER access can influence the query structure and potentially execute arbitrary SQL.

Vendor
BillaBear
Product
billabear
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-20
Advisory published
2026-05-19
Advisory updated
2026-05-20

Who should care

BillaBear operators, application owners, and developers who maintain the EventRepository or any query-building code that accepts metric filters or aggregation properties from authenticated users.

Technical summary

The source description says BillaBear versions prior to January 2026 are affected. In EventRepository, metric filter names and aggregation properties are inserted into SQL strings with sprintf() without proper identifier handling. Although the filter values themselves are parameterized, the filter keys are not, which creates a classic CWE-89 SQL injection condition. NVD records the issue as CVSS 3.1 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps it to CWE-89.

Defensive priority

High priority. Even though the attack requires authentication and ROLE_ACCOUNT_MANAGER access, the flaw is network-reachable and can expose data, alter records, or disrupt the application through SQL execution. Patch or mitigate before continuing normal use.

Recommended defensive actions

  • Upgrade to the first BillaBear release that includes the January 2026 fix, or a later patched version, if available.
  • Review EventRepository and any similar query builders for sprintf()-based SQL construction that uses user-controlled identifiers.
  • Replace dynamic SQL identifiers with a strict allowlist or fixed mapping to known column names, and apply database-safe identifier quoting where appropriate.
  • Limit ROLE_ACCOUNT_MANAGER membership to the smallest possible set of trusted users and review any delegated access paths.
  • Inspect database and application logs for unexpected query errors, unusual metric-filter activity, or other signs of SQL tampering.

Evidence notes

The CVE description states that user-controlled metric filter names and aggregation properties are directly interpolated into SQL queries using sprintf() without sanitization or identifier quoting, and that ROLE_ACCOUNT_MANAGER users can exploit the flaw. NVD metadata marks the issue as CWE-89, gives it CVSS 3.1 8.8, and shows vulnStatus as Deferred. The referenced project repository is BillaBear/BillaBear, which aligns with the affected component named in the CVE description.

Official resources

Publicly disclosed in the CVE record on 2026-05-19 and updated in NVD on 2026-05-20. NVD currently lists the vulnerability status as Deferred.