CVE-2026-49344: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor in sourcentis mercator
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as JSON. The controller method `QueryController::execute()` does not enforce an authorization gate, unlike `store()` and `massDestroy()` in the same controller which are correctly protected. As a result, any authenticated account — including the read-only Auditor role — can query models beyond its intended scope, including the `User` model. Additionally, the `password` column, although declared `$hidden`, is not excluded from filter predicates, which allows it to be used in `LIKE` conditions. The `schema()` and `schemaModel()` endpoints of the same controller are similarly unguarded. The Query Engine is read-only; integrity and availability are not affected. Version 2025.05.19 patches the issue.
AI Analysis
Technical Summary
CVE-2026-49344 describes an authorization bypass vulnerability in Mercator's Query Engine before version 2025.05.19. The execute() method in QueryController lacks an authorization gate, unlike other methods in the same controller, enabling any authenticated user to perform queries on models outside their access scope, including the User model. The password column, despite being marked as hidden, is not excluded from filter predicates and can be used in LIKE conditions, risking exposure of private personal information. The schema() and schemaModel() endpoints are also unprotected. The vulnerability is limited to read-only access and does not affect data integrity or availability. The issue is fixed in version 2025.05.19.
Potential Impact
Unauthorized authenticated users, including those with limited roles such as Auditor, can access sensitive personal information by querying restricted models, including user passwords via filter predicates. This exposure compromises confidentiality but does not affect data integrity or availability. The vulnerability allows information disclosure within the scope of read-only queries.
Mitigation Recommendations
A fix is available in Mercator version 2025.05.19, which adds proper authorization checks to the QueryController::execute() method and related endpoints. Users should upgrade to this version or later to remediate the vulnerability. Until upgraded, restrict access to authenticated users with trusted roles and monitor for unauthorized query activity.
CVE-2026-49344: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor in sourcentis mercator
Description
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as JSON. The controller method `QueryController::execute()` does not enforce an authorization gate, unlike `store()` and `massDestroy()` in the same controller which are correctly protected. As a result, any authenticated account — including the read-only Auditor role — can query models beyond its intended scope, including the `User` model. Additionally, the `password` column, although declared `$hidden`, is not excluded from filter predicates, which allows it to be used in `LIKE` conditions. The `schema()` and `schemaModel()` endpoints of the same controller are similarly unguarded. The Query Engine is read-only; integrity and availability are not affected. Version 2025.05.19 patches the issue.
CVSS v4.0
Score 7.1high
Affected software
pkg:github/sourcentis/mercatorRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-49344 describes an authorization bypass vulnerability in Mercator's Query Engine before version 2025.05.19. The execute() method in QueryController lacks an authorization gate, unlike other methods in the same controller, enabling any authenticated user to perform queries on models outside their access scope, including the User model. The password column, despite being marked as hidden, is not excluded from filter predicates and can be used in LIKE conditions, risking exposure of private personal information. The schema() and schemaModel() endpoints are also unprotected. The vulnerability is limited to read-only access and does not affect data integrity or availability. The issue is fixed in version 2025.05.19.
Potential Impact
Unauthorized authenticated users, including those with limited roles such as Auditor, can access sensitive personal information by querying restricted models, including user passwords via filter predicates. This exposure compromises confidentiality but does not affect data integrity or availability. The vulnerability allows information disclosure within the scope of read-only queries.
Mitigation Recommendations
A fix is available in Mercator version 2025.05.19, which adds proper authorization checks to the QueryController::execute() method and related endpoints. Users should upgrade to this version or later to remediate the vulnerability. Until upgraded, restrict access to authenticated users with trusted roles and monitor for unauthorized query activity.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-29T14:35:45.903Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a359d6df198dc38c12203aa
Added to database: 6/19/2026, 7:50:05 PM
Last enriched: 6/19/2026, 8:04:57 PM
Last updated: 6/19/2026, 9:12:43 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.