SQL Injection (CWE-89)CVSS 8.6Insane

SQL Injection on api.redacted-target.com through /api/v1/auth/login via POST parameter "module" leads to Sensitive Data Exposure and Remote Code Execution

May 20, 2026

71 views

€470

Vulnerability Summary

Pre-authenticated SQL Injection on api.redacted-target.com through /api/v1/auth/login via POST parameter "module" leads to Sensitive Data Exposure and Remote Code Execution

Summary

A vulnerability was identified in the application's login endpoint where the value of a JSON field in the POST body was concatenated directly into the column list of a backend SQL query. An unauthenticated attacker could inject arbitrary PostgreSQL expressions into this position, achieving full read access to the production database, arbitrary local file reads as the database OS user, and the ability to overwrite arbitrary files writable by that same user.

Vulnerability Details

The endpoint /api/v1/auth/login accepts a JSON body with fields email, password, and module. The backend uses the value of module to build a SELECT query that looks structurally like:

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign In Register

Related Writeups

pyus3r

SQL Injection on api.target.example through /api/v1/projects via POST parameter "tableName" leads to Remote Code Execution (RCE)

Pre-authenticated Remote Code Execution on POST /api/v1/projects via a stacked SQL injection in the JSON field tableName (interpolated by String.format into the FROM clause), abusing PgJDBC's multi-statement handling and a PostgreSQL superuser role to invoke COPY ... TO PROGRAM and run arbitrary OS commands as the postgres user.

LogicalBreach Academy