CVE-2026-50636: LimeSurvey RemoteControl API SQL Injection (CVSS 8.8)
LimeSurvey's RemoteControl API contains a SQL injection vulnerability in two methods used to manage survey participant invitations. An authenticated attacker with permission to update survey tokens can craft a malicious input array that breaks out of the intended SQL query and execute arbitrary database commands. Because LimeSurvey's database configuration allows stacked queries, an attacker can not only read sensitive data—such as administrator password hashes, survey responses, and user session records—but also modify or delete any data in the database, including taking over administrator accounts. This attack requires the RemoteControl interface to be explicitly enabled (not the default configuration) and authenticated API access.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or input validation. A remote, authenticated attacker holding the tokens/update permission on a survey can inject a crafted array element to perform SQL injection. Because LimeSurvey configures its PDO connection with emulated prepared statements (emulatePrepare = true) and does not disable MySQL multi-statements, the injection supports stacked queries: the attacker can append arbitrary additional statements (INSERT/UPDATE/DELETE/DROP/CREATE) after the original SELECT. This permits both arbitrary read of any data in the database, such as administrator bcrypt password hashes (lime_users), survey response PII, session records, and global settings, all recoverable via a SLEEP() time-based blind oracle, and arbitrary write/destruction of that data, including directly overwriting the administrator password hash for immediate account takeover or dropping/truncating tables. Reads and writes extend to any schema the application's database user can access. The RemoteControl interface (RPCInterface = json/xml) must be enabled, which is not the default.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the RemoteControl API's invite_participants and remind_participants methods, which accept a caller-supplied array of token IDs. These values are passed directly to TokenDynamic::findUninvited() without parameterization or validation, where they are concatenated into a WHERE token IN (...) clause. LimeSurvey's PDO configuration uses emulated prepared statements (emulatePrepare = true) and does not disable MySQL multi-statement execution. An attacker can inject SQL metacharacters and statement terminators to break the query syntax, allowing injection of additional SELECT, INSERT, UPDATE, DELETE, DROP, or CREATE statements in the same request. Data extraction is possible via time-based blind SQL injection using SLEEP() functions to infer database contents. Full write access to the database—limited only by the application's database user privileges—enables data modification, table destruction, and direct administrator credential compromise.
Business impact
Successful exploitation allows complete compromise of LimeSurvey instance confidentiality, integrity, and availability. An attacker can exfiltrate all survey data, user credentials, and administrative settings; directly modify or delete survey responses and user records; seize administrative accounts; or render the application inoperable by dropping core tables. For organizations using LimeSurvey to collect sensitive information (HR surveys, customer feedback, research data), the exposure is severe. Compliance implications depend on data sensitivity and regulatory obligations (GDPR, HIPAA, etc.). Incident response would require forensic investigation of database logs and potential notification obligations to data subjects.
Affected systems
LimeSurvey installations with RemoteControl API enabled are affected. The RemoteControl interface is not enabled by default, so risk is limited to deployments that have explicitly activated it (RPCInterface = json/xml configuration). All affected versions prior to a patched release are susceptible if this configuration is present. Check your LimeSurvey admin panel under Global Settings > Security for 'Enable RemoteControl API' status.
Exploitability
Exploitation requires two conditions: (1) RemoteControl API must be enabled (non-default), and (2) the attacker must hold valid API credentials or session access with the tokens/update permission. No special network positioning or user interaction is required beyond initial authentication. Once authenticated, the injection is trivial to execute via JSON or XML API calls; no complex evasion is needed. The SQL injection itself is straightforward due to lack of input validation. However, data exfiltration via blind injection is time-consuming and may trigger database slow-query logging. Overall exploitability is high among organizations running RemoteControl; risk is low for default deployments without it.
Remediation
Apply the vendor's patched release when available (verify the specific version number against the LimeSurvey advisory). The patch should parameterize token ID inputs using prepared statement placeholders rather than string concatenation. As a temporary mitigation for unpatched systems, disable the RemoteControl API (set RPCInterface = false in the configuration) if not actively in use. Restrict API access via firewall rules or reverse-proxy authentication to trusted client IP ranges. Audit database user privileges to ensure the LimeSurvey application account has the minimum necessary permissions. Monitor database logs for multi-statement queries or unusual INSERT/UPDATE/DELETE patterns.
Patch guidance
Wait for official LimeSurvey release notes and security advisory that specify the patched version number. Apply patches to all affected instances immediately upon availability. Test in a non-production environment first to ensure compatibility with your configuration and custom extensions. After patching, verify RemoteControl API functionality if your deployment relies on it, and confirm that API calls still work as expected. Review any custom integrations or scripts that invoke the RemoteControl interface.
Detection guidance
Monitor database query logs for: (1) SQL queries containing UNION, SELECT within WHERE clauses, SLEEP(), BENCHMARK(), or other injection signatures in the token ID context; (2) multi-statement execution or statement terminators (semicolons) in API request payloads; (3) unauthorized INSERT, UPDATE, DELETE, DROP, or CREATE statements issued by the application database user. Monitor application logs for RemoteControl API calls with unusual or malformed token array parameters. Set up alerts on failed authentication attempts against the API endpoint. Database performance anomalies (long-running queries) during API calls may indicate blind injection attempts.
Why prioritize this
CVSS 8.8 (HIGH) reflects the severity of unauthenticated read and write access to the entire database. However, the requirement for RemoteControl enablement and prior authentication reduces real-world risk for many deployments. Prioritize patching if: (1) RemoteControl is enabled and exposed to untrusted networks; (2) your LimeSurvey instance handles sensitive survey data (PII, financial, health); (3) the instance is internet-facing. If RemoteControl is disabled or behind strong network controls, risk is manageable short-term while awaiting patches.
Risk score, explained
The CVSS 3.1 score of 8.8 captures complete database compromise (Confidentiality: High, Integrity: High, Availability: High) with no user interaction required and low attack complexity. The score reflects that an authenticated attacker can read and modify any data without special privileges. The score is appropriate but should be contextualized: risk is substantially lower in default LimeSurvey installations (RemoteControl disabled) and higher in organizations that rely on RemoteControl for third-party integrations.
Frequently asked questions
Is my LimeSurvey installation vulnerable if I haven't enabled RemoteControl?
No. The vulnerability requires RemoteControl API to be explicitly enabled. Check LimeSurvey admin settings under Global Settings > Security > 'Enable RemoteControl API'. If this is off or not configured, you are not vulnerable to this CVE, though you should still keep LimeSurvey updated for other security patches.
Can an unauthenticated attacker exploit this?
No. The attacker must be authenticated to the RemoteControl API or hold a valid session token. If RemoteControl requires API key authentication, the attacker must obtain valid credentials. This is still a serious threat if keys are leaked or if internal staff are compromised, but it is not a direct internet-facing worm vector.
How do I know if my survey data was stolen?
Blind SQL injection leaves minimal obvious traces in application logs. You will need to review database audit logs for: unauthorized SELECT queries, especially those containing SLEEP() or time-delay functions; unusual INSERT/UPDATE/DELETE patterns; and queries accessing lime_users or lime_survey_response tables outside normal application workflows. Engage your database administrator or a forensic analyst if you suspect compromise.
What if I cannot patch immediately?
Disable RemoteControl API if you do not actively use it (set RPCInterface = false in config). If you do use RemoteControl, restrict API endpoint access to a whitelist of trusted client IPs using firewall rules or a reverse proxy. Ensure your database user account has minimal necessary privileges (no DDL permissions if possible). Monitor database and application logs closely. Patch as soon as testing is complete.
This analysis is provided for informational purposes and represents our interpretation of publicly available vulnerability information as of the publication date. We do not possess access to exploit code or active attack telemetry. Patch version numbers, vendor advisories, and availability timelines must be verified against the official LimeSurvey security announcement. Organizations should conduct their own risk assessment based on their specific LimeSurvey configuration, data sensitivity, and network exposure. SEC.co does not guarantee the completeness or accuracy of affected product lists provided in vendor advisories. Testing patches in a non-production environment before production deployment is mandatory. If you believe your LimeSurvey instance has been compromised, engage a qualified incident response team and preserve database logs for forensic investigation. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2016-20062HIGHSQL Injection in Simply Poll 1.4.1 WordPress Plugin - Unauthenticated Data Theft
- CVE-2016-20063HIGHSQL Injection in Single Personal Message 1.0.3 – Credential & Data Theft Risk
- CVE-2016-20065HIGHUnauthenticated SQL Injection in Product Catalog 8 WordPress Plugin
- CVE-2017-20243HIGHWordPress Car Park Booking Plugin SQL Injection Vulnerability
- CVE-2017-20244HIGHSQL Injection in Wow Forms WordPress Plugin v2.1 – Critical Unauth Database Extraction
- CVE-2017-20245HIGHWow Viral Signups Plugin SQL Injection Vulnerability – Analysis & Patches
- CVE-2017-20246HIGHKittyCatfish 2.2 SQL Injection Vulnerability – WordPress Plugin Security Alert
- CVE-2017-20247HIGHSQL Injection in PICA Photo Gallery 1.0