PatchSiren cyber security CVE debrief
CVE-2026-4317 Umami Software application CVE debrief
A critical SQL injection vulnerability exists in Umami Software's web application, where the 'timezone' request parameter is improperly sanitized before being interpolated into database queries. The vulnerability stems from unsafe use of raw query functions including 'prisma.rawQuery', 'prisma.$queryRawUnsafe', and raw ClickHouse queries, allowing authenticated attackers to execute arbitrary SQL commands. With a CVSS score of 9.3 (CRITICAL), successful exploitation enables database compromise and execution of dangerous functions. The vulnerability requires authentication but is otherwise exploitable over the network with low attack complexity. The CVE was published on March 31, 2026, with the most recent modification on May 19, 2026. The vulnerability status is currently marked as 'Deferred' in the NVD.
- Vendor
- Umami Software application
- Product
- Umami Software
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-31
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-03-31
- Advisory updated
- 2026-05-19
Who should care
Organizations running Umami Software analytics platforms, particularly those with externally accessible dashboards or multi-tenant deployments where authenticated access is broadly available. Database administrators and application security teams responsible for Prisma ORM and ClickHouse implementations should prioritize assessment and remediation.
Technical summary
The vulnerability exists in the timezone parameter handling of Umami Software's web application. The application fails to properly filter or sanitize user-supplied timezone values before interpolating them directly into SQL queries using unsafe raw query methods. This allows authenticated attackers to inject malicious SQL payloads through the timezone parameter, resulting in arbitrary SQL command execution against the underlying database (including ClickHouse deployments). The vulnerability is classified under CWE-89 (SQL Injection) and carries a CRITICAL severity rating due to the potential for complete database compromise.
Defensive priority
critical
Recommended defensive actions
- Apply patches from Umami Software when available, prioritizing systems with external-facing analytics dashboards
- Implement parameterized queries or prepared statements to replace raw query functions (prisma.rawQuery, prisma.$queryRawUnsafe, ClickHouse raw queries)
- Add input validation and sanitization for the 'timezone' parameter, restricting to allowed timezone values from a whitelist
- Enable comprehensive SQL query logging and monitoring to detect anomalous query patterns
- Review and restrict database account permissions to principle of least privilege, limiting impact of potential SQL injection
- Deploy Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the timezone parameter
- Conduct security code review of all raw query implementations in the application
- Monitor for unauthorized database access or data exfiltration attempts
Evidence notes
Primary evidence sourced from INCIBE-CERT advisory via NVD reference. Vendor attribution marked as low confidence requiring review due to 'Unknown Vendor' classification in source data. CVSS 4.0 vector confirms network attack vector, low attack complexity, low privileges required, and high impacts to confidentiality, integrity, and availability. CWE-89 (SQL Injection) classified as primary weakness.
Official resources
-
CVE-2026-4317 CVE record
CVE.org
-
CVE-2026-4317 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-03-31T10:16:19.153Z