CVE-2026-44204: CWE-20: Improper Input Validation in Shelf-nu shelf.nu
Shelf-nu versions from 1. 12 up to but not including 1. 20. 1 contain a SQL injection vulnerability in the sortBy query parameter on the /assets route. This flaw allows any authenticated user, regardless of role, to execute arbitrary SQL queries and read data from any database table, including data from other organizations. The vulnerability has a CVSS score of 6. 5, indicating medium severity. A fix for this issue is available in version 1. 20. 1.
AI Analysis
Technical Summary
CVE-2026-44204 is a SQL injection vulnerability affecting Shelf-nu, a physical asset tracking platform. The vulnerability exists in the sortBy query parameter of the /assets route in versions 1.12 through 1.20.0. It permits any authenticated user to inject arbitrary SQL commands, enabling unauthorized reading of data across all database tables, including those belonging to other organizations. This issue is classified under CWE-20 (Improper Input Validation) and CWE-89 (SQL Injection). The vulnerability is resolved in Shelf-nu version 1.20.1.
Potential Impact
Exploitation of this vulnerability allows authenticated users to bypass access controls and read sensitive data from any table in the database, including data from other organizations. This can lead to unauthorized disclosure of confidential information. The vulnerability does not impact data integrity or availability according to the CVSS vector, but confidentiality is highly impacted.
Mitigation Recommendations
Upgrade Shelf-nu to version 1.20.1 or later, where this SQL injection vulnerability has been fixed. No other mitigations are indicated or required once the update is applied.
CVE-2026-44204: CWE-20: Improper Input Validation in Shelf-nu shelf.nu
Description
Shelf-nu versions from 1. 12 up to but not including 1. 20. 1 contain a SQL injection vulnerability in the sortBy query parameter on the /assets route. This flaw allows any authenticated user, regardless of role, to execute arbitrary SQL queries and read data from any database table, including data from other organizations. The vulnerability has a CVSS score of 6. 5, indicating medium severity. A fix for this issue is available in version 1. 20. 1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-44204 is a SQL injection vulnerability affecting Shelf-nu, a physical asset tracking platform. The vulnerability exists in the sortBy query parameter of the /assets route in versions 1.12 through 1.20.0. It permits any authenticated user to inject arbitrary SQL commands, enabling unauthorized reading of data across all database tables, including those belonging to other organizations. This issue is classified under CWE-20 (Improper Input Validation) and CWE-89 (SQL Injection). The vulnerability is resolved in Shelf-nu version 1.20.1.
Potential Impact
Exploitation of this vulnerability allows authenticated users to bypass access controls and read sensitive data from any table in the database, including data from other organizations. This can lead to unauthorized disclosure of confidential information. The vulnerability does not impact data integrity or availability according to the CVSS vector, but confidentiality is highly impacted.
Mitigation Recommendations
Upgrade Shelf-nu to version 1.20.1 or later, where this SQL injection vulnerability has been fixed. No other mitigations are indicated or required once the update is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T15:13:47.571Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a036fd1cbff5d86100ccd2a
Added to database: 5/12/2026, 6:22:09 PM
Last enriched: 5/12/2026, 6:39:52 PM
Last updated: 5/12/2026, 9:05:23 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.