CVE-2026-49344
HIGHMercator has a Personal Identifiable Information Leak from Query Executor feature
Title source: cnaExploitation Summary
EIP tracks 1 public exploit for CVE-2026-49344. PoCs published by hadhub.
AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2026-49344, targeting an unauthenticated access control bypass in Mercator's JSON DSL query engine. The PoC extracts user PII and bcrypt password hashes via the `/admin/queries/execute` endpoint.
Description
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as JSON. The controller method `QueryController::execute()` does not enforce an authorization gate, unlike `store()` and `massDestroy()` in the same controller which are correctly protected. As a result, any authenticated account — including the read-only Auditor role — can query models beyond its intended scope, including the `User` model. Additionally, the `password` column, although declared `$hidden`, is not excluded from filter predicates, which allows it to be used in `LIKE` conditions. The `schema()` and `schemaModel()` endpoints of the same controller are similarly unguarded. The Query Engine is read-only; integrity and availability are not affected. Version 2025.05.19 patches the issue.
Exploits (1)
This repository contains a functional Python exploit for CVE-2026-49344, targeting an unauthenticated access control bypass in Mercator's JSON DSL query engine. The PoC extracts user PII and bcrypt password hashes via the `/admin/queries/execute` endpoint.
References (1)
Scores
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X