---

Security Bulletin #26-002 - DriveLock Enterprise Service (DES): SQL Injection via RQL (ZDI-CAN-28726)

---

---

First published: 2026-02-06

Last updated: 2026-02-17

CVE: CVE-2026-XXXX (not yet published)

EUVD: EUVD-XXXX (not yet published)

CVSS Score: HIGH 8.8 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected product(s): DriveLock SE — DriveLock Enterprise Service (DES)

Disclosure status: Coordinated

Vulnerability type / classification: SQL Injection (Privilege Escalation)

Attack type: Remote

Attack vector: Network (RQL to SQL translation layer)

---

Summary

A SQL injection vulnerability allows injection of arbitrary SQL statements via RQL, potentially leading to privilege escalation.

Description

The web application implements a custom Resource Query Language (RQL) to allow users to query stored data. The translation from RQL to SQL does not properly validate and sanitize user input.

As a result, an attacker can inject arbitrary SQL statements through crafted RQL queries. Successful exploitation may allow escalation of privileges and unauthorized access to sensitive data.

Affected versions

• DriveLock <= 24.2.8 — vulnerable (fixed in 24.2.9)

• DriveLock <= 25.1.6 — vulnerable (fixed in 25.1.7)

• DriveLock <= 25.2.3 — vulnerable (fixed in 25.2.4)

Mitigation

Update to the patched versions immediately.

Fixed in

• DriveLock 24.2.9

• DriveLock 25.1.7

• DriveLock 25.2.4

References

• CVE-2026-XXXX (not yet published)

• ZDI-CAN-28726

Credits

This vulnerability was discovered by stuxxn working with TrendAI Zero Day Initiative.

How to update your environment

To ensure continued protection, update to one of the fixed versions listed above.

Additionally, we always recommend using the latest available DriveLock release to benefit from ongoing improvements and security enhancements.

---