📄 Description (English)
A vulnerability has been found in erupts erupt up to 1.13.3. Affected by this issue is the function geneEruptHqlOrderBy of the file erupt-data/erupt-jpa/src/main/java/xyz/erupt/jpa/dao/EruptJpaUtils.java. Such manipulation of the argument sort.field leads to sql injection hibernate. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
🤖 AI Executive Summary
CVE-2026-4594 is a SQL injection vulnerability in Erupt framework (up to v1.13.3) affecting the HQL query generation function. An attacker can manipulate the 'sort.field' parameter to inject malicious SQL/HQL code, potentially leading to unauthorized data access, modification, or deletion. With a CVSS score of 7.3 and public exploit disclosure, this poses a significant risk to organizations using vulnerable Erupt versions, particularly those managing sensitive data through web applications.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 6, 2026 09:49
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using Erupt framework in their web applications, particularly in: Banking sector (SAMA-regulated institutions) for customer data management systems; Government agencies (NCA oversight) managing citizen records; Healthcare providers handling patient information; E-commerce and fintech platforms processing transactions. The SQL injection capability could lead to unauthorized access to sensitive financial records, personal data breaches, and system compromise. Organizations in the financial services sector face the highest risk due to regulatory scrutiny and data sensitivity.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
E-commerce and Retail
Insurance
Education
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all systems running Erupt framework versions up to 1.13.3 through asset inventory and application scanning
2. Isolate or restrict network access to affected applications until patching is completed
3. Review access logs for suspicious sort.field parameter manipulation patterns
4. Implement Web Application Firewall (WAF) rules to block SQL injection attempts targeting sort parameters
Patching Guidance:
1. Upgrade Erupt framework to version 1.14.0 or later when available
2. If upgrade is not immediately possible, apply input validation filters to the sort.field parameter
3. Implement parameterized queries and prepared statements for all HQL operations
4. Use ORM framework's built-in query builders instead of string concatenation
Compensating Controls:
1. Deploy WAF rules: Block requests containing SQL keywords (UNION, SELECT, DROP, etc.) in sort.field parameter
2. Implement strict input validation: Allow only alphanumeric characters and underscores in sort field names
3. Use database user accounts with minimal privileges (read-only where possible)
4. Enable database query logging and audit trails
5. Implement rate limiting on API endpoints accepting sort parameters
Detection Rules:
1. Monitor for sort.field parameters containing: quotes, semicolons, SQL keywords, or encoded characters
2. Alert on database error messages in application logs related to HQL parsing
3. Track unusual database query patterns or failed authentication attempts
4. Monitor for data exfiltration patterns following sort parameter manipulation
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تعمل بإصدارات Erupt حتى 1.13.3 من خلال جرد الأصول وفحص التطبيقات
2. عزل أو تقييد الوصول إلى الشبكة للتطبيقات المتأثرة حتى اكتمال التصحيح
3. مراجعة سجلات الوصول للبحث عن أنماط تلاعب مريبة بمعامل sort.field
4. تطبيق قواعد جدار الحماية لتطبيقات الويب لحجب محاولات حقن SQL
إرشادات التصحيح:
1. ترقية إطار عمل Erupt إلى الإصدار 1.14.0 أو أحدث عند توفره
2. إذا لم يكن الترقية ممكنة فوراً، طبق مرشحات التحقق من صحة الإدخال على معامل sort.field
3. تطبيق الاستعلامات المعاملة والبيانات المحضرة لجميع عمليات HQL
4. استخدم منشئات الاستعلامات المدمجة في إطار العمل بدلاً من ربط السلاسل
الضوابط البديلة:
1. نشر قواعد WAF: حجب الطلبات التي تحتوي على كلمات SQL في معامل sort.field
2. تطبيق التحقق الصارم من الإدخال: السماح فقط بالأحرف الأبجدية الرقمية والشرطات السفلية
3. استخدام حسابات قاعدة البيانات بأقل الامتيازات
4. تفعيل تسجيل استعلامات قاعدة البيانات والمراجعة
5. تطبيق تحديد معدل على نقاط نهاية API التي تقبل معاملات الفرز
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for system development and maintenance
ECC 2024 A.14.2.5 - Secure development policy and procedures
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.BE-3.1 - Organizational resilience objectives
SAMA CSF PR.DS-6 - Data is protected from unauthorized access
SAMA CSF DE.CM-1 - The network is monitored to detect potential cybersecurity events
🟡 ISO 27001:2022
ISO 27001:2022 A.8.1 - Organizational controls for information security
ISO 27001:2022 A.14.2.1 - Secure development policy
ISO 27001:2022 A.14.2.5 - Secure development environment
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 6.2 - Security patches and updates
PCI DSS 11.2 - Vulnerability scanning