Skip to content

Boolean-Based Blind SQL Injection via Improper ORDER BY Clause Input Validation

High
chamikaJ published GHSA-f2f8-2ppj-85pf Feb 10, 2026

Package

No package listed

Affected versions

<= v2.1.6

Patched versions

v2.1.7

Description

Summary

Multiple SQL injection vulnerabilities exist in the Worklenz backend due to improper validation of user-controlled input in SQL query construction. The vulnerabilities affect dynamic sorting (ORDER BY clauses), IN clause filtering, DELETE operations, and direct parameter interpolation across 9 backend controllers and 1 Socket.io handler.

An authenticated attacker with low privileges can exploit these vulnerabilities through:

  1. Boolean-based blind SQL injection via ORDER BY clause manipulation
  2. SQL injection through the unsafe flatString() helper function in IN clauses
  3. SQL injection via direct string interpolation of user IDs, task IDs, and filters
  4. Mass deletion attacks via unsafe DELETE statement construction

The vulnerabilities affect critical components including project management, task tracking, reporting (with financial data exposure), and real-time features. Although query results may not be returned directly in some cases, attackers can use behavioral differences as a Boolean oracle to extract sensitive database information. In other cases, direct query results are accessible or data can be modified/deleted.

All vulnerabilities have been addressed through the implementation of parameterized queries using a new SqlHelper utility class and comprehensive input validation.

Detailed proof-of-concept requests and response evidence were shared privately with the maintainers during coordinated disclosure.

Impact

Successful exploitation allows an authenticated attacker with low-level privileges to:

Data Exfiltration

  • Extract sensitive database information including user credentials and authentication tokens
  • Access personally identifiable information (PII)
  • Retrieve financial data including billable/non-billable time logs and project costs
  • Exfiltrate internal application data (project details, task assignments, resource allocations)

Data Manipulation

  • Modify database records including project data, task assignments, and time logs
  • Escalate privileges by modifying user roles and permissions
  • Manipulate financial records (billable hours, project costs)

Data Destruction

  • Delete critical data through unsafe DELETE operations
  • Execute mass deletion attacks (e.g., WHERE id IN ('1') OR '1'='1--') deletes all records)
  • Disrupt service availability

This may lead to complete database compromise, financial fraud, compliance violations, and significant business impact.

Workarounds

There are no workarounds for this vulnerability. Users must upgrade to the patched version v2.1.7 or later.

As a temporary mitigation until upgrade is possible:

  • Restrict API access to highly trusted authenticated users only
  • Implement additional monitoring for suspicious query patterns or unexpected errors
  • Review application logs for potential exploitation attempts
  • Consider temporarily disabling affected features if feasible

However, these mitigations do not fully address the vulnerability and upgrade is required.

Patches

The vulnerability has been patched in version v2.1.7 (commit 76e5cb0f).

Fix Implementation

  1. New SqlHelper Utility Class - Provides secure parameterized query construction methods including buildInClause(), buildWhereClause(), and other safe query builders
  2. Parameterized Query Refactoring - All 10 affected files converted to use parameterized queries with PostgreSQL's $1, $2, $3... placeholder syntax
  3. Input Validation - Comprehensive validation including:
    • UUID format validation for IDs
    • Color code whitelisting against allowed values
    • Sort field whitelisting with safe field mapping
    • Rejection of invalid inputs before query construction

Affected Files

  • worklenz-backend/src/shared/sql-helpers.ts (NEW)
  • worklenz-backend/src/controllers/project-categories-controller.ts
  • worklenz-backend/src/controllers/projects-controller.ts
  • worklenz-backend/src/controllers/tasks-controller-v2.ts
  • worklenz-backend/src/controllers/project-templates/pt-tasks-controller.ts
  • worklenz-backend/src/controllers/project-workload/workload-gannt-controller.ts
  • worklenz-backend/src/controllers/schedule/schedule-controller.ts
  • worklenz-backend/src/controllers/reporting/projects/reporting-projects-controller.ts
  • worklenz-backend/src/controllers/reporting/reporting-members-controller.ts
  • worklenz-backend/src/socket.io/commands/on-task-timer-stop.ts

All users should upgrade to v2.1.7 or later immediately.

Timeline

  • Discovery Date: [2025-12-28]
  • Initial Vendor Notification: [2025-12-29]
  • Vendor Acknowledgment: [2025-12-29]
  • Patch Released: [2026-01-09] (version 2.1.7)
  • Public Disclosure: [2026-01-12]

References

Credit

This vulnerability was discovered and reported by:

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2026-25947

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. Learn more on MITRE.

Credits