Unauthenticated SQL Injection in Metacat Data Repository Software
CVE-2026-48114

9.8CRITICAL

Key Information:

Vendor: Nceas
Status: Metacat
Vendor: CVE Published:; 15 June 2026

What is CVE-2026-48114?

Metacat, a data repository software, contains an unauthenticated SQL injection vulnerability in its /harvesterRegistration endpoint. The vulnerability arises from the improper handling of parameters during the construction of SQL statements, specifically within the HarvesterRegistration.dbInsert() function. This flaw allows attackers to manipulate the unit, contactEmail, and documentListURL parameters, leading to unauthorized access to the Metacat database. The PostgreSQL backend's support for stacked queries via Statement.executeUpdate() exacerbates the issue, granting attackers extensive permissions to read, write, and execute commands within the database context. Users are encouraged to upgrade to Metacat version 3.0.0 or higher to mitigate this risk.

Affected Version(s)

metacat >= 2.0.0, < 3.0.0

References

https://github.com/NCEAS/metacat/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/NCEAS/metacat/commit/820d595309b399fdb...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48114 Data

JSON

Nceas

What is CVE-2026-48114?

Affected Version(s)

References

CVSS V3.1

Timeline