CVE-2026-27179 – MajorDoMo contains an unauthenticated SQL injec... (How to Fix)

Q: What is the severity of CVE-2026-27179?

CVE-2026-27179 has a CVSS score of 8.2 (HIGH). MajorDoMo contains an unauthenticated SQL injection vulnerability in the commands module that allows attackers to execute arbitrary SQL queries without authentication. This enables extraction of admin credentials stored as unsalted MD5 hashes, leading to complete system compromise. All MajorDoMo installations with the vulnerable commands module are affected.

📋 TL;DR

MajorDoMo contains an unauthenticated SQL injection vulnerability in the commands module that allows attackers to execute arbitrary SQL queries without authentication. This enables extraction of admin credentials stored as unsalted MD5 hashes, leading to complete system compromise. All MajorDoMo installations with the vulnerable commands module are affected.

💻 Affected Systems

Products:

MajorDoMo (Major Domestic Module)

Versions: All versions prior to the fix in pull request #1177

Operating Systems: All platforms running MajorDoMo

Default Config Vulnerable: ⚠️ Yes

Notes: The commands module is loadable by default via /objects/?module=commands endpoint without authentication.

📦 What is this software?

Majordomo by Mjdm

View all CVEs affecting Majordomo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover: attackers extract admin credentials, gain admin panel access, execute arbitrary code, and potentially pivot to other systems.

🟠

Likely Case

Credential theft and admin panel compromise leading to unauthorized control of the MajorDoMo system and connected devices.

🟢

If Mitigated

Limited impact due to network segmentation and proper authentication controls preventing exploitation.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable without authentication via a public endpoint, making internet-facing systems immediate targets.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to insider threats or compromised internal hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Time-based blind SQL injection using UNION SELECT SLEEP() syntax is documented in public references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version including pull request #1177

Vendor Advisory: https://github.com/sergejey/majordomo/pull/1177

Restart Required: No

Instructions:

1. Update to the latest MajorDoMo version that includes pull request #1177. 2. Apply the patch that adds parameterized queries to commands_search.inc.php. 3. Verify the $_GET['parent'] parameter is properly sanitized.

🔧 Temporary Workarounds

Disable commands module

linux

Temporarily disable the vulnerable commands module to prevent exploitation

# Remove or rename commands module files
mv /path/to/majordomo/modules/commands /path/to/majordomo/modules/commands.disabled

Web server access control

all

Block access to the vulnerable endpoint using web server configuration

# For Apache: Add to .htaccess or virtual host config
RewriteRule ^objects/\?module=commands - [F]
# For Nginx: Add to server block
location ~* ^/objects/\?module=commands { deny all; }

🧯 If You Can't Patch

Implement strict network segmentation to isolate MajorDoMo systems from untrusted networks
Deploy a web application firewall (WAF) with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Test if /objects/?module=commands endpoint is accessible without authentication and accepts SQL injection payloads in the 'parent' parameter

Check Version:

Check MajorDoMo version in configuration files or admin panel

Verify Fix Applied:

Verify that $_GET['parent'] parameter is properly sanitized in commands_search.inc.php and test SQL injection attempts are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple requests to /objects/?module=commands with SQL-like parameters
Failed authentication attempts after SQL injection patterns

Network Indicators:

HTTP requests containing SQL keywords (UNION, SELECT, SLEEP) to /objects/?module=commands
Unusual traffic patterns to the commands endpoint

SIEM Query:

source="web_logs" AND (url="/objects/" AND query="*module=commands*") AND (query="*UNION*" OR query="*SELECT*" OR query="*SLEEP*")

📊 Metadata

CVE ID: CVE-2026-27179

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-89

Published: February 18, 2026

Last Updated: February 20, 2026

🔗 References

https://chocapikk.com/posts/2026/majordomo-revisited/ Third Party Advisory,Exploit
https://github.com/sergejey/majordomo/pull/1177 Exploit,Issue Tracking
https://www.vulncheck.com/advisories/majordomo-unauthenticated-sql-injection-in-commands-module Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27179, you might also want to check these: