📄 Description (English)
A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This affects an unknown part of the file /admin-api/system/tenant/get-by-website. The manipulation of the argument Website results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
🤖 AI Executive Summary
A critical SQL injection vulnerability exists in YunaiV yudao-cloud versions up to 2026.01 affecting the /admin-api/system/tenant/get-by-website endpoint. The flaw allows remote attackers to manipulate the Website parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. With a CVSS score of 7.3 and public exploit availability, this poses an immediate threat to organizations using this platform, particularly those managing multi-tenant SaaS environments.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 7, 2026 01:55
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations operating cloud-based SaaS platforms, particularly: (1) Banking sector institutions using yudao-cloud for customer management systems under SAMA oversight; (2) Government agencies and entities under NCA jurisdiction managing multi-tenant administrative systems; (3) Healthcare providers storing patient data in cloud environments; (4) Telecommunications companies managing subscriber information; (5) E-commerce and fintech startups in the Saudi digital economy. The SQL injection vulnerability could lead to unauthorized access to sensitive customer data, financial records, and administrative credentials, directly impacting compliance with SAMA CSF, NCA ECC 2024, and data protection requirements.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Telecommunications
E-commerce and Retail
Fintech and Digital Payment
Energy and Utilities
Education
Insurance
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1557 - Man-in-the-Middle
T1040 - Traffic Capture or Redirection
T1005 - Data from Local System
T1213 - Data from Information Repositories
T1020 - Automated Exfiltration
T1041 - Exfiltration Over C2 Channel
T1078 - Valid Accounts
T1087 - Account Discovery
T1087.004 - Account Discovery: Cloud Account
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of YunaiV yudao-cloud running versions up to 2026.01 in your environment
2. Implement network-level access controls to restrict access to /admin-api/system/tenant/get-by-website endpoint to trusted IP ranges only
3. Enable Web Application Firewall (WAF) rules to block SQL injection patterns in the Website parameter (detect: UNION, SELECT, DROP, INSERT, UPDATE, DELETE, OR 1=1, etc.)
4. Review database access logs for suspicious queries executed between deployment date and current date
COMPENSATING CONTROLS (until patch available):
5. Implement input validation and sanitization at application layer - whitelist allowed characters for Website parameter
6. Apply principle of least privilege to database accounts used by yudao-cloud application
7. Enable database query logging and real-time alerting for suspicious SQL patterns
8. Implement database activity monitoring (DAM) solutions to detect anomalous queries
9. Restrict administrative API access through VPN/bastion hosts only
DETECTION RULES:
10. Monitor for HTTP requests to /admin-api/system/tenant/get-by-website containing SQL keywords in Website parameter
11. Alert on database connections executing unexpected queries from application service accounts
12. Track failed authentication attempts and privilege escalation attempts in database logs
13. Monitor for data exfiltration patterns (large SELECT queries, UNION-based queries)
PATCHING:
14. Contact YunaiV vendor immediately for security patch status and timeline
15. Prepare upgrade plan to patched version once available
16. Test patches in isolated environment before production deployment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ YunaiV yudao-cloud التي تعمل بإصدارات حتى 2026.01 في بيئتك
2. تطبيق عناصر تحكم الوصول على مستوى الشبكة لتقييد الوصول إلى نقطة النهاية /admin-api/system/tenant/get-by-website للنطاقات الموثوقة فقط
3. تفعيل قواعد جدار حماية تطبيقات الويب (WAF) لحجب أنماط حقن SQL في معامل Website
4. مراجعة سجلات الوصول إلى قاعدة البيانات للاستعلامات المريبة المنفذة منذ تاريخ النشر
عناصر التحكم التعويضية:
5. تطبيق التحقق من صحة المدخلات على مستوى التطبيق - قائمة بيضاء للأحرف المسموحة
6. تطبيق مبدأ أقل امتياز على حسابات قاعدة البيانات
7. تفعيل تسجيل استعلامات قاعدة البيانات والتنبيهات في الوقت الفعلي
8. تطبيق حلول مراقبة نشاط قاعدة البيانات (DAM)
9. تقييد الوصول إلى API الإداري عبر VPN فقط
قواعد الكشف:
10. مراقبة طلبات HTTP التي تحتوي على كلمات SQL في معامل Website
11. التنبيه على اتصالات قاعدة البيانات التي تنفذ استعلامات غير متوقعة
12. تتبع محاولات المصادقة الفاشلة وتصعيد الامتيازات
13. مراقبة أنماط تسرب البيانات
التصحيح:
14. الاتصال بمورد YunaiV فوراً للحصول على حالة التصحيح الأمني
15. إعداد خطة الترقية إلى الإصدار المصحح
16. اختبار التصحيحات في بيئة معزولة قبل النشر في الإنتاج
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.6.2.1 - User Registration and De-registration
A.6.2.2 - User Access Rights
A.7.1.1 - Cryptography Policy
A.8.2.1 - Classification of Information
A.8.2.2 - Handling of Assets
A.9.1.1 - Event Logging
A.9.2.1 - User Activity Monitoring
A.10.1.1 - Vulnerability Management
🔵 SAMA CSF
Governance - Risk Management Framework
Governance - Third-party Risk Management
Protection - Access Control and Authentication
Protection - Data Protection and Privacy
Detection - Security Monitoring and Logging
Detection - Vulnerability and Patch Management
Response - Incident Response and Management
🟡 ISO 27001:2022
A.5.1 - Management Direction for Information Security
A.6.1 - Information Security Policies and Procedures
A.6.2 - Information Security Responsibilities and Authorities
A.7.1 - Cryptographic Controls
A.8.1 - User Endpoint Devices
A.8.2 - Privileged Access Rights
A.8.3 - Information Access Restriction
A.9.1 - Audit Logging
A.9.2 - Monitoring
A.9.4 - Event Logging
A.12.6 - Management of Technical Vulnerabilities
🟣 PCI DSS v4.0.1
Requirement 1 - Install and maintain a firewall configuration
Requirement 2 - Do not use vendor-supplied defaults
Requirement 6 - Develop and maintain secure systems and applications
Requirement 6.2 - Ensure security patches are installed
Requirement 8 - Assign and manage access to cardholder data
Requirement 10 - Track and monitor all access to network resources
🔗 References & Sources 5
🔗
🔗
🔗
🔗
🔗
https://github.com/NarcherAlter/Security_Note/blob/main/Vulnerability_Discovery/yudaoCl...
cna@vuldb.com
https://github.com/NarcherAlter/Security_Note/blob/main/Vulnerability_Discovery/yudaoCl...
cna@vuldb.com
https://vuldb.com/submit/780191
cna@vuldb.com
https://vuldb.com/vuln/354181
cna@vuldb.com
https://vuldb.com/vuln/354181/cti
cna@vuldb.com