CVE-2026-5147 is a SQL injection vulnerability identified in the YunaiV yudao-cloud platform, specifically affecting version 2026.01 and earlier. The vulnerability resides in the /admin-api/system/tenant/get-by-website API endpoint, where the Website parameter is not properly sanitized before being used in SQL queries. This improper input validation allows an unauthenticated remote attacker to inject arbitrary SQL code, potentially manipulating the backend database. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely over the network. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation combined with limited but meaningful impacts on confidentiality, integrity, and availability. The vendor was notified early but has not issued any response or patch, and a public exploit has been released, increasing the risk of exploitation. While no active exploitation in the wild has been confirmed, the availability of a public exploit makes timely mitigation critical. The vulnerability could allow attackers to extract sensitive tenant data, modify database contents, or disrupt service availability depending on the injected payload and database permissions. The lack of vendor response and patch availability heightens the urgency for organizations to implement compensating controls.

This vulnerability poses a significant risk to organizations using YunaiV yudao-cloud 2026.01, particularly those managing sensitive tenant or customer data. Successful exploitation can lead to unauthorized data disclosure, data manipulation, and potential denial of service through database corruption or query disruption. The remote, unauthenticated nature of the attack vector increases the threat surface, enabling attackers to target exposed API endpoints without needing credentials or user interaction. This can result in breaches of confidentiality and integrity, undermining trust and potentially causing regulatory compliance issues. Service availability may also be impacted if attackers execute destructive SQL commands. The public availability of an exploit increases the likelihood of opportunistic attacks, especially against organizations that have not implemented adequate input validation or network segmentation. The absence of vendor patches means organizations must rely on alternative mitigations to protect their environments. Overall, the threat could disrupt business operations, lead to data loss, and expose sensitive tenant information, impacting organizations globally but especially those in regions with significant yudao-cloud deployments.

Given the lack of an official patch from the vendor, organizations should implement immediate compensating controls. First, apply strict input validation and sanitization on the Website parameter at the application or API gateway level to block malicious SQL payloads. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the vulnerable endpoint. Restrict network access to the /admin-api/system/tenant/get-by-website endpoint by limiting exposure to trusted internal networks or VPNs only. Monitor logs for unusual query patterns or repeated access attempts to this API. Employ database-level protections such as least privilege principles, ensuring the database user account used by yudao-cloud has minimal permissions, preventing destructive SQL commands. Consider deploying runtime application self-protection (RASP) solutions to detect and block injection attempts in real time. Regularly back up databases to enable recovery in case of data corruption. Finally, maintain active threat intelligence monitoring for any emerging exploits or vendor updates to apply patches promptly once available.