The Time Bomb in the Schema: Liferay Upgrade SQL Injection
Jan 13, 2026·7 min read·3 visits
Executive Summary (TL;DR)
Liferay's upgrade tool for MS SQL Server trusts database metadata blindly. If an attacker can rename a Primary Key constraint to contain malicious SQL, the upgrade script—running with high privileges—will execute it. It's a classic 'Second-Order' SQL injection turned into a persistence time bomb.
A high-complexity but devastating SQL injection vulnerability in the Liferay Portal/DXP upgrade process allows attackers to plant malicious payloads in database metadata (primary keys), which are then executed with elevated privileges during system upgrades.
Official Patches
Technical Appendix
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Liferay Portal Liferay | >= 7.3.1, <= 7.4.3.17 | 7.4.3.18 |
Liferay DXP 7.3 Liferay | < Update 6 | Update 6 |
Liferay DXP 7.4 Liferay | < Update 18 | Update 18 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-89 (Improper Neutralization of Special Elements in SQL Command) |
| Attack Vector | Network (Context Dependent) |
| CVSS v3.1 | 6.4 (Medium) |
| Impact | Critical (RCE/DBA via Upgrade) |
| EPSS Score | 0.00282 (Low Probability) |
| Exploit Status | No Public PoC / Weaponized Exploit |
MITRE ATT&CK Mapping
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.