CVE-2026-8054 PUBLISHED

Unauthenticated SQL Injection in dotCMS Publish Audit API

Assigner: dotCMS
Reserved: 06.05.2026 Published: 27.05.2026 Updated: 27.05.2026

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 10

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	dotCMS
Product	dotCMS Core
Versions	Default: unaffected affected from 25.11.04-1 to 26.04.28-02 (incl.) Version 26.04.28-03 is unaffected

Credits

Gerhard Botha — reported to dotCMS through responsible disclosure. Gerhard's GitHub profile: https://github.com/GerhardBotha97 finder

References

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE

Impacts

An unauthenticated remote attacker can execute arbitrary SQL against the dotCMS database via the Publish Audit API endpoints, leading to disclosure, modification, or destruction of data.