External risk intelligence

RuoYi SQL Injection in Code Generation Module

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-38812

A SQL injection vulnerability in a code generation module of RuoYi may allow an authenticated attacker to access sensitive database information. This issue is in a tool typically used by administrators, and while network-accessible, its exposure is generally limited to authenticated internal users. Confirming its relev

3Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-38812

The vulnerability exists within a code generation module of an administrative tool. While the endpoint is network-reachable, it is typically restricted to authenticated administrative users within internal environments. Public internet exposure is not a standard deployment pattern for this specific functionality.

PCI scan relevance

PCI Relevance for CVE-2026-38812

Yes

CVE-2026-38812 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability involves SQL Injection, which is a type of flaw that can lead to an automatic PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in a code generation tool, RuoYi, could allow an attacker to access sensitive database information. This issue resides in a module typically used by administrators, and while network-accessible, its exposure is generally limited to authenticated internal users. Understanding its relevance to our environment is the primary concern.

Vulnerability allows access to sensitive database information.
Administrative tools can be targets for data breaches.
Confirm relevance and exposure within our systems.

Attack Path

How an attacker could exploit the issue

An attacker could target the code generation feature within RuoYi's administrative tools. This vulnerability, located in the `/tool/gen/createTable` endpoint, allows an attacker to inject malicious SQL code, potentially leading to unauthorized access to sensitive data.

Requires administrative privileges.
Triggered via the create table endpoint.
Leads to sensitive data access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in the code generation module could allow an authenticated administrator to access sensitive database information through the `/tool/gen/createTable` endpoint.

Database information could be accessed.
SQL injection via an authenticated endpoint.
Exposure of sensitive database contents.

Operational Fix

Recommended remediation, mitigation, and detection steps

The SQL injection vulnerability in RuoYi's code generation module likely falls under the responsibility of application owners and potentially platform teams, given it affects an administrative tool. The first practical step is to identify all instances of RuoYi, confirm if the `/tool/gen/createTable` endpoint is exposed and if it's business-critical, and then locate the accountable owner to plan remediation.

Identify application owners and asset locations.
Verify exposure and business criticality of the endpoint.
Plan remediation based on identified risks.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is RuoYi and how is it used?

RuoYi is a Java-based open-source framework frequently used as a foundation for building enterprise-level administrative platforms and management systems. It includes various built-in tools for rapid application development, such as the code generation module involved in this vulnerability, which helps developers create database-backed features by automating parts of the backend and frontend setup.

How does CVE-2026-38812 work?

This vulnerability is classified as a SQL Injection (CWE-89). It occurs when user-supplied input is not properly sanitized before being processed by database queries. In this case, an attacker can manipulate input within the code generation module to execute arbitrary SQL commands, potentially gaining unauthorized read access to sensitive database contents.

What triggers the vulnerability in the code generation module?

The issue is triggered by interacting with the /tool/gen/createTable endpoint. Successful exploitation requires an attacker to possess existing administrative privileges within the application. Simply accessing the application without these elevated administrative credentials will not trigger the vulnerability, as the logic depends on the specific functions reserved for high-level users.

Is my RuoYi instance at risk?

Halo Surface Signal notes that while the vulnerable endpoint is reachable over the network, it is typically intended for use by internal administrators. If your RuoYi instance is only accessible from within your internal network, the attack surface is significantly smaller. However, if this administrative interface is exposed directly to the public internet, the risk level increases substantially.

How should I respond to this vulnerability?

Start by identifying all instances of RuoYi within your environment and verifying if they are internet-facing. Once instances are mapped, coordinate with the specific application owners to determine the business criticality of the affected code generation tools. Use this information to prioritize which systems require immediate attention or configuration changes to restrict access to the administrative endpoints.

References

github.com/jjcjgo/CVE-2026-38812-RuoYi-SQL-Injection

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.