CVE-2020-26712 – CVE-2020-26712 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2020-26712?

CVE-2020-26712 has a CVSS score of 9.8 (CRITICAL). CVE-2020-26712 is a critical SQL injection vulnerability in REDCap's ToDoList function that allows attackers to execute arbitrary SQL commands via the sort parameter. This affects REDCap 10.3.4 installations where an attacker could potentially compromise all databases accessible to the application. Organizations using vulnerable REDCap versions for research data management are at risk.

📋 TL;DR

CVE-2020-26712 is a critical SQL injection vulnerability in REDCap's ToDoList function that allows attackers to execute arbitrary SQL commands via the sort parameter. This affects REDCap 10.3.4 installations where an attacker could potentially compromise all databases accessible to the application. Organizations using vulnerable REDCap versions for research data management are at risk.

💻 Affected Systems

Products:

REDCap (Research Electronic Data Capture)

Versions: Version 10.3.4 specifically

Operating Systems: All platforms running REDCap

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects REDCap 10.3.4; earlier and later versions may have different vulnerabilities but this specific SQL injection is version-specific.

📦 What is this software?

Redcap by Vanderbilt

View all CVEs affecting Redcap →

Redcap by Vanderbilt

View all CVEs affecting Redcap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution on the database server.

🟠

Likely Case

Unauthorized access to sensitive research data, patient information, or study records stored in REDCap databases.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.

🌐 Internet-Facing: HIGH - Web applications with SQL injection vulnerabilities are prime targets for automated attacks when exposed to the internet.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection via sort parameter requires some level of access but is technically simple to exploit once identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 10.3.4 (10.3.5+)

Vendor Advisory: https://www.project-redcap.org/

Restart Required: No

Instructions:

1. Backup your REDCap installation and databases. 2. Download the latest REDCap version from the official website. 3. Follow REDCap's upgrade documentation to apply the update. 4. Verify the ToDoList function no longer accepts raw SQL in sort parameter.

🔧 Temporary Workarounds

Disable ToDoList Function

all

Temporarily disable or restrict access to the vulnerable ToDoList function

# Modify REDCap configuration or access controls to disable ToDoList module

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns in sort parameters

# Example ModSecurity rule: SecRule ARGS:sort "@detectSQLi" "id:1001,phase:2,deny"

🧯 If You Can't Patch

Implement strict input validation on all sort parameters to only allow expected values
Apply principle of least privilege to database accounts used by REDCap

🔍 How to Verify

Check if Vulnerable:

Check REDCap version in Control Center > Configuration Check or examine version.php file

Check Version:

grep 'REDCAP_VERSION' /path/to/redcap/version.php

Verify Fix Applied:

Test ToDoList function with SQL injection payloads in sort parameter; should be rejected or sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by ToDoList access
Sort parameters containing SQL keywords (UNION, SELECT, etc.)

Network Indicators:

HTTP requests to ToDoList endpoint with suspicious sort parameters
Unusual database traffic patterns from web server

SIEM Query:

source="web_logs" AND uri="/redcap/*/ToDoList*" AND query="*sort=*" AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*")

📊 Metadata

CVE ID: CVE-2020-26712

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: January 12, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/vuongdq54/RedCap Exploit,Third Party Advisory
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ Release Notes,Vendor Advisory
https://www.project-redcap.org/ Product,Vendor Advisory
https://github.com/vuongdq54/RedCap Exploit,Third Party Advisory
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ Release Notes,Vendor Advisory
https://www.project-redcap.org/ Product,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26712, you might also want to check these: