PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42425 Openkm CVE debrief

CVE-2026-42425 documents an unrestricted SQL execution vulnerability in OpenKM 6.3.12, published 2026-05-26. The flaw resides in the DatabaseQuery administrative interface, where authenticated administrative users can submit arbitrary SQL statements via the qs parameter to the /admin/DatabaseQuery endpoint. This enables extraction of sensitive data including usernames and password hashes from the OKM_USER table, permission modification, or database record deletion. The CVSS 4.0 vector indicates network attack vector with low attack complexity, high privileges required, and high impacts to confidentiality, integrity, and availability. The vulnerability is classified as CWE-89 (SQL Injection). Multiple disclosure sources including Terra System Labs and VulnCheck have published technical details and detection templates. The vendor field carries low confidence requiring review, with Docker identified as a reference domain candidate. No KEV listing or known ransomware campaign use is documented.

Vendor
Openkm
Product
OpenKM Community Edition
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-26
Advisory published
2026-05-26
Advisory updated
2026-05-26

Who should care

Organizations running OpenKM 6.3.12 with administrative access exposed to untrusted networks; security teams responsible for document management system hardening; database administrators managing OpenKM backend infrastructure; incident response teams monitoring for credential compromise or data exfiltration from document repositories

Technical summary

OpenKM 6.3.12's DatabaseQuery administrative interface fails to restrict SQL statement execution, allowing authenticated administrative users to submit arbitrary queries through the qs parameter. Attackers with valid admin credentials can extract sensitive user data including password hashes, modify database permissions, or delete records. The vulnerability requires high privileges but poses severe confidentiality, integrity, and availability risks given direct database access capabilities.

Defensive priority

HIGH

Recommended defensive actions

  • Restrict administrative access to the /admin/DatabaseQuery endpoint to trusted IP ranges or require additional authentication factors
  • Monitor for anomalous SQL query patterns in application database logs, particularly SELECT statements against OKM_USER table
  • Apply input validation and parameterized query enforcement at the DatabaseQuery interface if source code modification is possible
  • Review database user permissions to enforce least privilege, limiting potential impact of compromised administrative credentials
  • Deploy web application firewall rules to detect and block SQL injection patterns in qs parameter submissions
  • Subscribe to OpenKM security advisories for official patch availability given NVD Deferred status
  • Audit existing administrative accounts and session activity for indicators of unauthorized DatabaseQuery access

Evidence notes

CVE description confirms authenticated administrative access required for exploitation. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H. CWE-89 classification present. Source references include exploit disclosure repository, nuclei detection templates, vendor Docker image, Terra System Labs research post, Exploit-DB entry, vendor website, and VulnCheck advisory. NVD status: Deferred.

Official resources

2026-05-26