External risk intelligence

Metacat SQL Injection in Harvester Registration Endpoint Allows Full Database Access.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-48114

Metacat, used for data preservation and sharing, has a critical SQL injection vulnerability in its harvester registration endpoint. This flaw allows unauthenticated attackers to execute arbitrary commands, read, or write to the Metacat database, potentially impacting data integrity and availability. Organizations shoul

4Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-48114

Metacat is a data repository and research software platform designed to share and discover data, which typically requires public web accessibility. The vulnerable endpoint is a web-accessible registration servlet intended for external harvester interactions, making it a common internet-facing service in standard deployments.

PCI scan relevance

PCI Relevance for CVE-2026-48114

Yes

CVE-2026-48114 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This unauthenticated SQL injection vulnerability in Metacat could lead to a PCI ASV scan failure because it allows unauthorized access and modification of database content.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Metacat, a data repository software used by researchers. This issue, an unauthenticated SQL injection, could allow unauthorized access to read, write, or execute commands within the Metacat database. The primary concern is to confirm if your organization uses this software and if it is exposed to potential exploitation.

  • Unauthenticated code injection in data sharing software.
  • Affects data preservation, sharing, and discovery capabilities.
  • Confirm Metacat usage and external exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending specially crafted requests to the Metacat data repository. The `/harvesterRegistration` endpoint, which is exposed externally, does not require any authentication and directly processes user-supplied parameters. These parameters are used to build a database query without proper sanitization, allowing an attacker to inject malicious SQL commands. This can lead to unauthorized access and modification of the Metacat database.

  • No authentication needed.
  • Exploitable via web request.
  • Complete database control.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an unauthenticated SQL injection in Metacat's harvester registration endpoint could allow an attacker to read, write, or execute arbitrary commands within the Metacat database. This is possible because the affected component uses string concatenation to build SQL queries without properly sanitizing user-supplied input from specific request parameters.

  • Database data and access.
  • Via unauthenticated network requests.
  • Full database read/write/execute.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for addressing this SQL injection vulnerability in Metacat. The first practical step is to identify all Metacat instances, determine their reachability and business criticality, and confirm the accountable owner before planning remediation.

  • Application owners must track Metacat instances.
  • Verify Metacat reachability and criticality.
  • Coordinate vendor updates and plan maintenance.

Frequently asked questions

What is Metacat software?

Metacat is a specialized data repository platform designed for the research community. It enables scientists and institutions to preserve, organize, and share complex datasets. By providing a centralized discovery mechanism, the software allows users to find and retrieve data essential for collaborative research efforts.

How does CVE-2026-48114 cause a security weakness?

This vulnerability is an instance of CWE-89, or SQL Injection. The software improperly handles user-provided data when building database commands. Instead of sanitizing this input, it uses string concatenation, which allows an attacker to break out of the intended query structure and execute arbitrary SQL commands directly against the backend database.

Do I need to be authenticated to trigger this vulnerability?

No. The vulnerability exists within the /harvesterRegistration endpoint, which does not verify user identity. Attacks succeed because the system fails to check for legitimate credentials or LDAP identity before processing the request. Note that requests not targeting this specific harvester registration functionality will not trigger this particular issue.

Is my Metacat instance relevant to this threat?

According to Halo Surface Signal, Metacat is frequently deployed as an internet-facing service because it is designed for global data sharing and discovery. If your instance is accessible from the public internet to support these harvester interactions, it is at higher risk. Internal-only instances still require attention, but internet-facing ones should be prioritized.

When should I take action to remediate this?

You should begin by performing an inventory of all Metacat installations in your environment to understand your total footprint. Once located, verify the version of each instance; the vulnerability is addressed in version 3.0.0. Coordinate with your application owners to plan an update to this version as soon as possible.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished