CVE-2026-49344

HIGH

Mercator has a Personal Identifiable Information Leak from Query Executor feature

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-49344. PoCs published by hadhub.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2026-49344, targeting an unauthenticated access control bypass in Mercator's JSON DSL query engine. The PoC extracts user PII and bcrypt password hashes via the `/admin/queries/execute` endpoint.

Description

Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as JSON. The controller method `QueryController::execute()` does not enforce an authorization gate, unlike `store()` and `massDestroy()` in the same controller which are correctly protected. As a result, any authenticated account — including the read-only Auditor role — can query models beyond its intended scope, including the `User` model. Additionally, the `password` column, although declared `$hidden`, is not excluded from filter predicates, which allows it to be used in `LIKE` conditions. The `schema()` and `schemaModel()` endpoints of the same controller are similarly unguarded. The Query Engine is read-only; integrity and availability are not affected. Version 2025.05.19 patches the issue.

Exploits (1)

nomisec WORKING POC
by hadhub · poc
https://github.com/hadhub/CVE-2026-49344-Mercator-JSON-DSL

This repository contains a functional Python exploit for CVE-2026-49344, targeting an unauthenticated access control bypass in Mercator's JSON DSL query engine. The PoC extracts user PII and bcrypt password hashes via the `/admin/queries/execute` endpoint.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Mercator (version not specified)
Auth required
Prerequisites: valid credentials for authentication · access to the `/admin/queries/execute` endpoint
devstral-2 · analyzed Jul 02, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v4 7.1
EPSS 0.0028
EPSS Percentile 19.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-359
Status published
Products (1)
sourcentis/mercator < 2025.05.19
Published Jun 19, 2026
Tracked Since Jun 20, 2026