Critical

Unauthenticated SQL Injection in dotCMS Core Publish Audit API

IdentifiersCVE-2026-8054CWE-89· Improper Neutralization of Special…

CVE-2026-8054 is a critical SQL injection vulnerability in dotCMS Core affecting the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll. In vulnerable versions, these endpoints did not enforce authentication and accepted attacker-controlled input that was incorporated into dynamically constructed SQL statements without proper sanitization or parameter binding. The vulnerable code path is described as passing JSON-supplied bundle identifiers into PublishAuditAPIImpl, where values were wrapped and concatenated into a query of the form select * from publishing_queue_audit where bundle_id in (%s). This allowed remote unauthenticated attackers to inject arbitrary SQL against the backend PostgreSQL database. The issue affects dotCMS Core versions 25.11.04-1 through 26.04.28-02. LTS releases were not affected because the vulnerable code path was not backported.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote unauthenticated attackers to execute arbitrary SQL statements against the dotCMS backend database. Reported impact includes unauthorized reading, modification, and deletion of database content; schema extraction; credential theft; content tampering; creation or manipulation of privileged application data; and destructive operations such as dropping tables or otherwise damaging the database. The supporting content also indicates the possibility of stacked queries and notes that remote code execution on the database host may be theoretically possible in PostgreSQL environments where the database account has sufficiently elevated privileges.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, restrict or block access to /api/auditPublishing/get and /api/auditPublishing/getAll, especially from untrusted networks. Limit exposure of backend interfaces, enforce network-layer access controls, and monitor for suspicious requests targeting the Publish Audit API. Because the flaw was exploitable without authentication in vulnerable builds, reducing endpoint reachability is the primary short-term mitigation. Where possible, ensure only authenticated backend users with the appropriate publishing-queue portlet permission can reach the functionality.

Remediation

Patch, then assume compromise.

Upgrade dotCMS Core to version 26.04.28-03 or later. According to the provided content, the vendor fix parameterized the affected SQL queries and added authentication controls to the impacted Publish Audit API endpoints. Specifically, the fixed behavior requires an authenticated backend user with the publishing-queue portlet permission. Versions 25.11.04-1 through 26.04.28-02 are affected; referenced LTS releases are not affected.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

DotcmsCoreapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

nuclei templates pull requestsNews

Jun 9, 2026

CVE-2026-8054 - dotCMS Core Publish Audit API - Unauthenticated SQL Injection by DhiyaneshGeek · Pull Request #16353 · projectdiscovery/nuclei-templates · GitHub

An unauthenticated SQL injection vulnerability in the dotCMS Core Publish Audit API.

aretiq aiNews

May 27, 2026

CVE-2026-8054 - dotCMS Core Publish Audit API SQL Injection | Aretiq AI

A critical unauthenticated SQL injection vulnerability in dotCMS Core's Publish Audit API that allows remote attackers to execute arbitrary SQL against the PostgreSQL database, leading to full read/write/delete access and potential downstream compromise.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-8054

NVD

nvd.nist.gov/vuln/detail/CVE-2026-8054

MITRE CWE · CWE-89

Improper Neutralization of Special Elements…

dev.dotcms.com

dev.dotcms.com/docs/known-security-issues?issueNumber=SI-75

github.com

github.com/dotCMS/core/pull/35553