CVE-2026-25076
📋 TL;DR
An authenticated attacker with access to the GraphQL Reports API in Anchore Enterprise can execute arbitrary SQL commands through an SQL injection vulnerability. This allows modification of database contents, potentially compromising data integrity and confidentiality. Organizations running Anchore Enterprise versions before 5.25.1 are affected.
💻 Affected Systems
- Anchore Enterprise
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing data destruction, privilege escalation, or lateral movement to connected systems.
Likely Case
Data manipulation or exfiltration of sensitive container scan results, user credentials, or system configurations.
If Mitigated
Limited impact due to network segmentation and strict access controls preventing unauthorized GraphQL API access.
🎯 Exploit Status
Exploitation requires valid authentication credentials and GraphQL API access
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.25.1
Vendor Advisory: https://docs.anchore.com/current/docs/release_notes/enterprise/5251/
Restart Required: Yes
Instructions:
1. Backup your Anchore Enterprise database. 2. Upgrade to Anchore Enterprise version 5.25.1 or later. 3. Restart all Anchore Enterprise services. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Restrict GraphQL API Access
allLimit network access to GraphQL API endpoints using firewall rules or network segmentation
Implement API Rate Limiting
allConfigure rate limiting on GraphQL endpoints to detect and block suspicious query patterns
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Anchore Enterprise from other critical systems
- Enforce principle of least privilege for all user accounts with GraphQL API access
🔍 How to Verify
Check if Vulnerable:
Check Anchore Enterprise version via admin interface or API. If version is below 5.25.1, system is vulnerable.Check Version:
anchore-enterprise-manager --versionVerify Fix Applied:
Confirm version is 5.25.1 or higher and test GraphQL Reports API functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Unusual GraphQL query patterns
- Multiple failed SQL queries from single user
- Database error messages in application logs
Network Indicators:
- High volume of GraphQL requests to /v1/reports endpoint
- Unusual SQL syntax in HTTP POST bodies
SIEM Query:
source="anchore-enterprise" AND (message="SQL error" OR message="database error")