PatchSiren cyber security CVE debrief
CVE-2026-46446 Mail Archive CVE debrief
CVE-2026-46446 is a HIGH-severity SQL injection issue affecting SOGo before 5.12.7 in deployments that use PostgreSQL or MariaDB and store passwords in cleartext. The advisory ties the flaw to the changePasswordForLogin path and the c_password = '%@' SQL construction pattern. The supplied sources indicate a public fix was released in SOGo 5.12.7, with the advisory published on 2026-05-14. The GitHub advisory is marked unreviewed, so defenders should rely on the upstream release note and fix references when validating remediation.
- Vendor
- Mail Archive
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-05-14
Who should care
SOGo administrators and operators, especially those using PostgreSQL or MariaDB and any environment that stores passwords in cleartext. Security teams responsible for authentication flows and database-backed password management should prioritize review.
Technical summary
The issue is an SQL injection in the password-change flow. According to the advisory text, the risky code path is changePasswordForLogin, where c_password = '%@' is called out as related to the vulnerability. The reported impact is reflected in the supplied CVSS vector: network reachable, no user interaction, low privileges, and potential high impact to confidentiality and integrity with limited availability impact.
Defensive priority
High. Upgrade affected SOGo deployments to 5.12.7 or later as soon as practical, then verify whether the environment uses PostgreSQL or MariaDB and whether cleartext passwords are stored. If exposure is possible, treat the environment as priority review and validate for abnormal authentication or database activity.
Recommended defensive actions
- Upgrade SOGo to version 5.12.7 or later.
- Confirm whether the affected deployment uses PostgreSQL or MariaDB.
- Verify whether passwords are stored in cleartext and plan to eliminate that configuration.
- Review the upstream release note and fix reference to confirm the applied patch.
- Inspect authentication and database activity for signs of unexpected password-change or SQL execution behavior.
- Rotate credentials and investigate further if you suspect the vulnerable path was abused.
Evidence notes
The supplied sources identify the issue as CVE-2026-46446 / GHSA-37h6-wqp6-qg5g, with CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L and score 7.1. Publication timing in the provided corpus is 2026-05-14T06:31:32Z for the advisory/CVE record, with an NVD publication timestamp of 2026-05-14T04:17:03Z. Supporting references include the upstream SOGo 5.12.7 release note, an upstream pull request diff, and a Debian bug thread. No KEV entry was supplied.
Official resources
-
CVE-2026-46446 CVE record
CVE.org
-
CVE-2026-46446 NVD detail
NVD
-
Source item URL
github_advisory_database
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CVE record, NVD, and GitHub Advisory Database on 2026-05-14. The supplied GitHub advisory is marked unreviewed, and no CISA KEV listing was provided in the source corpus.