CVE-2026-25076 is an SQL injection vulnerability identified in Anchore Enterprise, a widely used container security and compliance platform. The vulnerability resides in the GraphQL Reports API component of versions before 5.25.1. An attacker with authenticated access to the GraphQL API can craft malicious queries that inject arbitrary SQL commands, enabling unauthorized modification of the underlying Anchore Enterprise database. This can lead to data tampering, corruption, or unauthorized data manipulation, undermining the integrity and reliability of container security reports and compliance data. The vulnerability requires low attack complexity and no user interaction beyond authentication, making it a potent threat in environments where API credentials are compromised or misused. The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N) indicates the attack is network-adjacent, requires low complexity, no attack techniques, privileges, or user interaction, and results in high confidentiality and integrity impact. Although no exploits are reported in the wild, the potential for damage is significant given the critical role Anchore Enterprise plays in container security workflows. The vulnerability highlights the importance of secure API design and input validation in GraphQL implementations. Vendors have addressed the issue in version 5.25.1, and users are strongly advised to upgrade promptly.

The vulnerability allows authenticated attackers to execute arbitrary SQL commands, which can lead to unauthorized data modification within the Anchore Enterprise database. This compromises data integrity, potentially corrupting container security reports, compliance records, and other critical security information. The confidentiality impact is also high, as attackers could manipulate queries to extract sensitive data. Organizations relying on Anchore Enterprise for container security risk inaccurate security posture assessments, compliance failures, and potential downstream impacts on container deployment decisions. The ease of exploitation with low complexity and no user interaction increases the likelihood of successful attacks if credentials are compromised. This can lead to operational disruptions, loss of trust in security tooling, and increased risk of supply chain attacks if container images are improperly validated. The vulnerability does not directly affect availability but can indirectly cause service disruptions due to corrupted data or forced remediation efforts.

1. Upgrade Anchore Enterprise to version 5.25.1 or later immediately to apply the official patch that fixes the SQL injection vulnerability. 2. Restrict access to the GraphQL Reports API strictly to trusted and authenticated users, employing strong authentication mechanisms such as multi-factor authentication (MFA). 3. Implement network segmentation and firewall rules to limit API access to only necessary internal systems or trusted IP ranges. 4. Monitor API usage logs for unusual or suspicious query patterns that may indicate attempted exploitation. 5. Conduct regular security assessments and code reviews focusing on GraphQL query handling and input validation to prevent similar injection flaws. 6. Employ runtime application self-protection (RASP) or Web Application Firewalls (WAF) with custom rules to detect and block SQL injection attempts targeting the GraphQL API. 7. Educate administrators and developers on secure API usage and the risks of SQL injection in GraphQL contexts. 8. Maintain an incident response plan to quickly address any detected exploitation attempts or data integrity issues.