CVE-2026-4104: Critical SQL Injection and Authorization Bypass in Akmer TeknoPass

"A critical (CVSS 9.8) authorization bypass via user-controlled SQL primary key in Akmer Informatics' TeknoPass enables unauthenticated remote SQL injection against affected builds."

A critical (CVSS 9.8) authorization bypass via user-controlled SQL primary key in Akmer Informatics' TeknoPass enables unauthenticated remote SQL injection against affected builds.

What Is It

CVE-2026-4104 is an authorization bypass through a user-controlled SQL primary key (CWE-89) in Akmer Informatics Automation Industry and Trade Ltd. Co.'s TeknoPass product. The flaw allows SQL injection, letting an attacker manipulate query parameters to access or alter data they should not be authorized to reach. The issue was published on 2026-06-04 and assigned by Turkey's USOM ([email protected]).

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. That means it is exploitable over the network, requires low attack complexity, needs no privileges, and needs no user interaction; while delivering high impact to confidentiality, integrity, and availability. Any internet-exposed TeknoPass instance is reachable by an unauthenticated attacker who can read, modify, or disrupt backend data through crafted SQL payloads.

No CISA KEV entry has been published for this CVE at the time of writing, so active in-the-wild exploitation has not been confirmed by KEV. The CVSS profile, however, makes it a high-priority issue regardless.

What's Vulnerable

Vendor: Akmer Informatics Automation Industry and Trade Ltd. Co.
Product: TeknoPass
Affected versions: from build 20210501 through 20260429 (inclusive)

NVD lists no specific affected CPEs for this entry yet. Operators running any TeknoPass build dated on or before 2026-04-29 should treat their deployment as affected.

Patch Status

The NVD record (status: Received) does not yet enumerate a fixed version or vendor patch advisory. The single reference is a Turkish national CERT (USOM) bulletin under siberguvenlik.gov.tr, which should be consulted for the vendor's remediation guidance. Until a confirmed fixed build is identified, defenders should restrict network exposure of TeknoPass instances, place them behind authenticated access controls, and watch for vendor communications referencing builds after 20260429.

Sources

NVD, CVE-2026-4104: https://nvd.nist.gov/vuln/detail/CVE-2026-4104
USOM (Turkey National CERT) Advisory TR-26-0309: https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0309