CVE-2026-1367 identifies an authenticated SQL Injection vulnerability in the ManageEngine ADSelfService Plus product by Zohocorp, affecting versions 6522 and earlier. The flaw resides in the search report feature, where user-supplied input is improperly sanitized before being incorporated into SQL queries. This improper neutralization of special elements (CWE-89) allows an authenticated attacker to inject malicious SQL commands. The vulnerability has a CVSS v3.1 base score of 8.3, reflecting high severity due to its potential impact on confidentiality and integrity, combined with low attack complexity and no requirement for user interaction. Exploiting this vulnerability could enable attackers to extract sensitive information such as user credentials, modify or delete data, and potentially escalate privileges within the application or connected systems. Although exploitation requires valid credentials, the broad usage of ADSelfService Plus in enterprise environments makes this a critical concern. No public exploit code or active exploitation has been reported yet, but the risk remains significant due to the nature of the vulnerability and the critical role of the affected software in identity and access management. The lack of available patches at the time of disclosure necessitates immediate attention to mitigation strategies.

The impact of CVE-2026-1367 is substantial for organizations using ManageEngine ADSelfService Plus. Successful exploitation compromises the confidentiality and integrity of sensitive user and authentication data managed by the platform. Attackers could retrieve password hashes, personal information, or configuration details, facilitating further lateral movement or privilege escalation within the network. Data modification could disrupt authentication workflows or corrupt audit logs, undermining trust and compliance efforts. Although availability impact is low, the breach of identity management systems can lead to significant operational disruption and increased risk of downstream attacks. Enterprises relying on ADSelfService Plus for self-service password resets and identity governance are particularly vulnerable, as attackers may leverage this access to compromise broader IT infrastructure. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability’s characteristics make it a prime target for attackers once exploit code becomes available.

Organizations should immediately assess their ManageEngine ADSelfService Plus deployments to identify affected versions (6522 and below). The primary mitigation is to apply vendor-provided patches or updates once available. In the absence of patches, restrict access to the ADSelfService Plus application to trusted networks and enforce strong authentication controls to limit attacker access. Implement web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the search report functionality. Conduct thorough input validation and sanitization on all user inputs, especially those used in SQL queries. Monitor logs for unusual query patterns or failed login attempts that may indicate exploitation attempts. Additionally, review and minimize user privileges to reduce the risk posed by compromised credentials. Regularly audit and back up critical data to enable recovery in case of data tampering. Finally, maintain up-to-date threat intelligence feeds to respond promptly if exploit code emerges.