CVE-2026-21856
📋 TL;DR
This CVE describes a time-based blind SQL injection vulnerability in Tarkov Data Manager's webhook edit and scanner API endpoints. Authenticated attackers can execute arbitrary SQL queries against the MySQL database, potentially accessing, modifying, or deleting sensitive data. Users running Tarkov Data Manager before commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 are affected.
💻 Affected Systems
- Tarkov Data Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, modification, or deletion; potential privilege escalation to database administrator; possible lateral movement to other systems.
Likely Case
Unauthorized access to sensitive Tarkov item data, user information, and configuration details; data manipulation affecting application functionality.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.
🎯 Exploit Status
Time-based blind SQL injection requires authentication but is well-documented attack pattern; exploit tools for blind SQLi are widely available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8
Vendor Advisory: https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-4gcx-ghwc-rc78
Restart Required: Yes
Instructions:
1. Pull latest code from repository. 2. Verify commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 is included. 3. Restart Tarkov Data Manager service. 4. Test webhook edit and scanner API endpoints.
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation to reject SQL injection patterns in webhook edit and scanner API endpoints
# Add input validation in affected endpoints to filter SQL keywords and special characters
Database Permission Restriction
allLimit database user permissions to minimum required operations
REVOKE ALL PRIVILEGES ON database.* FROM 'tarkov_user'@'%';
GRANT SELECT, INSERT, UPDATE ON database.* TO 'tarkov_user'@'%';
🧯 If You Can't Patch
- Implement web application firewall (WAF) with SQL injection rules
- Disable affected endpoints if not required for operations
🔍 How to Verify
Check if Vulnerable:
Check git log for commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8; if not present, system is vulnerableCheck Version:
git log --oneline | grep 9bdb3a75a98a7047b6d70144eb1da1655d6992a8Verify Fix Applied:
Test webhook edit and scanner API endpoints with SQL injection payloads; verify no time delays or data leakage occurs📡 Detection & Monitoring
Log Indicators:
- Unusual database query patterns
- Multiple failed authentication attempts followed by SQL-like requests
- Long response times from webhook/scanner endpoints
Network Indicators:
- SQL keywords in HTTP POST/PUT requests to webhook/scanner endpoints
- Unusual timing patterns in API responses
SIEM Query:
source="web_logs" AND (uri="/webhook/edit" OR uri="/scanner/api") AND (request_body CONTAINS "SELECT" OR request_body CONTAINS "UNION" OR request_body CONTAINS "SLEEP")