Mitel Product Security Advisory MISA-2026-0002
MiCollab SQL Injection and Privilege Escalation Vulnerabilities
Advisory ID: MISA-2026-0002
Publish Date: 2026-04-08
Last Updated: 2026-04-08
Revision: 1.0
Summary
An SQL injection vulnerability in the Audio, Web and Video Conferencing (AWV) component of Mitel MiCollab could allow an unauthenticated attacker to conduct an SQL injection attack due to insufficient sanitization of user input. A successful exploit of this vulnerability could allow an attacker to access system or user provisioning information and execute arbitrary SQL database commands. The vulnerability severity is rated as critical.
A privilege escalation vulnerability in the Audio, Web and Video Conferencing (AWV) component of Mitel MiCollab could allow an authenticated attacker with administrative privilege to conduct a privilege escalation attack due to resources executing with unnecessary privileges. A successful exploit of this vulnerability could allow an attacker with local access to execute arbitrary commands with elevated privileges. The vulnerability severity is rated as medium.
Exploiting these vulnerabilities together can significantly amplify their impact.
Mitel is recommending customers with affected product versions update to the available solutions as soon as feasible.
Credit is given to Almog Biton, independent security researcher, for highlighting these issues and bringing them to our attention.
Affected Products and Solutions
This security advisory provides information on the following products:
| PRODUCT NAME | VERSION(S) AFFECTED | SOLUTION(S) AVAILABLE |
| MiCollab | Version 10.2 (10.2.0.24) and earlier | Upgrade to version 10.2 SP1 (10.2.1.11) or subsequent releases. Alternative Solution: Mitel provided patches are available for releases 10.0 (10.0.0.26) to 10.2 (10.2.0.24), and versions 9.8 (9.8.0.33) to 9.8 SP3 FP1 (9.8.3.103). See the Security KB article for instructions regarding the upgrade and the application of the available patches. |
Product statements are related only to supported product versions. Products which have reached End of Support status are not considered.
Vulnerability Severity
The following products have been identified as affected:
| PRODUCT NAME | CVE ID | SEVERITY | CVSS 3.1 BASE SCORE |
| MiCollab | CVE requested | Critical / 9.8 | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| MiCollab | CVE requested | Medium / 6.7 | AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Exploiting these vulnerabilities together can significantly amplify their impact.
Mitigations / Workarounds
For customers who are not currently able to upgrade to the latest version in a timely manner, the risk may be mitigated by following the instructions found in the security KB article.
Solution/ Recommended Action
This issue is addressed in MiCollab 10.2 SP1 (10.2.1.11). Also, Mitel provided patches are available for releases 10.0 (10.0.0.26) to 10.2 (10.2.0.24), and versions 9.8 (9.8.0.33) to 9.8 SP3 FP1 (9.8.3.103). Customers are advised to upgrade to this or subsequent releases.
Please see Mitel Security Knowledge Base article KB000127339, “MiCollab Security Update - SQL Injection and Privilege Escalation Vulnerabilities”, for detailed instructions regarding the upgrade and applying the available patches.
If you do not have access to this link, please contact your Mitel Authorized Partner for support.
For further information, please contact Mitel Product Support.
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | 2026-04-08 | Initial release |
Publisher and Legal Disclaimer
Publisher: Mitel PSIRT / [email protected]
The information provided in this advisory is provided "as is" without warranty of any kind. The information is subject to change without notice. Mitel and its affiliates do not guarantee and accept no legal liability whatsoever arising from or connected to the accuracy, reliability, currency or completeness of the information provided. No part of this document can be reproduced or transmitted in any form or by any means - electronic or mechanical - for any purpose without written permission from Mitel Networks Corporation.