CVE-2026-46445 Mail Archive CVE debrief

Who should care

SOGo administrators, mail/groupware operators, database and application security teams, and anyone running SOGo with PostgreSQL in production or internet-facing environments.

Technical summary

The GitHub Advisory Database entry for CVE-2026-46445 identifies CWE-89 (SQL Injection) in SOGo versions before 5.12.7, specifically when PostgreSQL is the backend. The advisory metadata lists CVSS v3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L, indicating remote exposure with low privileges and potentially significant confidentiality and integrity impact.

Defensive priority

High priority for any SOGo deployment using PostgreSQL; upgrade as soon as possible and verify exposure across all instances.

Recommended defensive actions

• Upgrade SOGo to version 5.12.7 or later on all affected deployments.
• Confirm whether each SOGo instance uses PostgreSQL; prioritize patching any PostgreSQL-backed installation.
• Review application and database logs for unusual or unexpected SQL activity around the exposure window.
• If suspicious activity is found, treat the instance as potentially impacted and assess data confidentiality and integrity.

Evidence notes

Primary evidence comes from the GitHub Advisory Database entry GHSA-vhv6-3crj-r8jm and the linked official SOGo 5.12.7 release notice. The advisory metadata explicitly lists CVE-2026-46445, CWE-89, and CVSS v3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L. NVD also lists the CVE, and the supplied source item is marked unreviewed, so the linked SOGo references are important for corroboration of the affected version and fix.

Official resources