CVE-2026-21856
Published: 07 January 2026
Summary
CVE-2026-21856 is a high-severity SQL Injection (CWE-89) vulnerability in Tarkov Tarkov Data Manager. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21856 is a time-based blind SQL injection vulnerability (CWE-89) in the Tarkov Data Manager, an open-source tool for managing item data related to the game Tarkov. The issue affects the webhook edit and scanner API endpoints in versions prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, enabling arbitrary SQL query execution against the backend MySQL database.
An authenticated attacker with high privileges (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged security scope (S:U), as reflected in the CVSS v3.1 base score of 7.2.
Mitigation is provided by upgrading to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 or later, which patches the vulnerable endpoints. Further details on the vulnerability and fix are documented in the GitHub commit at https://github.com/the-hideout/tarkov-data-manager/commit/9bdb3a75a98a7047b6d70144eb1da1655d6992a8 and the security advisory at https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-4gcx-ghwc-rc78.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1401
Vulnerability details
The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, a time based blind SQL injection vulnerability in the webhook edit and scanner api endpoints that allow an authenticated attacker to execute arbitrary…
more
SQL queries against the MySQL database. Commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 contains a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to exploitation of a vulnerable web/API application (SQL injection in webhook and scanner endpoints) allowing remote arbitrary query execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all inputs to the webhook edit and scanner API endpoints, blocking the unsanitized SQL strings that enable the time-based blind injection.
Mandates prompt application of the patch in commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 that eliminates the vulnerable code paths in the affected endpoints.
Limits the database privileges granted to the application service account so that even a successful SQL injection yields reduced confidentiality, integrity, and availability impact on the MySQL instance.