Severity: High
CVE ID: CVE-2026-12572
Affected Software Version(s): DDI Central 6.2.0 / Build 6200
Fixed Version: Build 6201
Fixed on: June 18, 2026
Details:
The ManageEngine DDI Central 6.2.0 build 6200 had a SQL injection vulnerability in the HA replication user configuration workflow. This issue could allow an authenticated administrator to inject unsafe SQL through replication username handling, potentially leading to command execution as the PostgreSQL service account on the DDI Central host.
The vulnerability has been fixed by using parameterized PostgreSQL queries for replication role creation and validating user-supplied values against a strict identifier allowlist.
Impact:
Successful exploitation of this vulnerability could result in command execution as the PostgreSQL service account on the DDI Central host.
Steps to upgrade:
Update your DDI Central Console and Node Agent instances to the latest build 6201 using the service pack.
Acknowledgements:
This issue was reported by d3lt4_2410.