CVE-2026-44349

Name of the Vulnerable Software and Affected Versions Daptin versions prior to 0.11.5

Description An issue exists in the processFuzzySearch function within server/resource/resource findallpaginated.go where the software fails to validate the column parameter against a whitelist. When using the 'GET /api/' endpoint with the operator parameter set to fuzzy, fuzzy any, or fuzzy all, the user-supplied column value is split by commas and interpolated directly into raw SQL queries. This allows any authenticated user, including those who self-registered, to perform boolean-blind SQL injection to read the entire database.

Technical details regarding the exploitation include:

Depending on the database driver, the injection may require specific fuzzy options.fallback mode values for PostgreSQL, MySQL, or MSSQL, while SQLite is vulnerable by default.

Recommendations Update to version 0.11.5. As a temporary workaround, restrict access to the 'GET /api/' endpoint or avoid using the fuzzy, fuzzy any, and fuzzy all operators until the update is applied.