Security Advisory - Published 2026-06-10 - LimeSurvey

LimeSurvey CVE-2026-50636: RemoteControl SQL Injection Self-Check

CVE-2026-50636 affects LimeSurvey RemoteControl API methods used for survey token workflows. The exposure requires the RemoteControl interface to be enabled and an authenticated account with token update permission on a survey. For agencies, universities, research teams, and customer-feedback portals, the practical risk is database access through a trusted survey account.

Defensive scope: this page does not include SQL samples or replay steps. The useful work is to disable unused RPC access, apply the vendor fix, reduce survey permissions, and review users, logs, and database changes.

Who should check

  • LimeSurvey installations with RemoteControl 2 API enabled.
  • Sites where staff, customers, departments, or outside agencies manage survey participants.
  • Installations using MySQL or MariaDB with a broad database user.
  • Public survey portals where many users have survey-level administrative permissions.

10-minute self-check

Step 1: Check whether RemoteControl is enabled

grep -Rni "RPCInterface" application/config config.php 2>/dev/null
grep -Rni "remotecontrol" application/config config.php 2>/dev/null

In the LimeSurvey admin UI, also check Configuration and Global settings for the RemoteControl / RPC interface setting. If RemoteControl is disabled, this specific issue is much less likely to apply.

Step 2: Review token update permissions

  • List users who can manage tokens or participants for each active survey.
  • Remove token update rights from old staff, contractors, and generic shared accounts.
  • Disable or reset accounts that have not logged in recently.
  • Check whether survey admins also have broader application or database access.

Step 3: Check web logs for RemoteControl activity

grep -R "remotecontrol\\|invite_participants\\|remind_participants" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -150

Look for repeated RemoteControl calls from unexpected IPs, old accounts, or unusual survey IDs. Preserve logs before rotating credentials or changing database access.

Step 4: Check for suspicious application and database changes

  • New LimeSurvey admin users or changed passwords.
  • Unexpected survey participant exports or deleted responses.
  • Changed global settings, plugin settings, or email templates.
  • Database users with wider privileges than LimeSurvey needs.

Safe fix path

  1. Apply the vendor fix. The public LimeSurvey pull request for issue 20549 was merged on 2026-06-05. Use the first release that includes that fix, or apply the official patch in a controlled maintenance window.
  2. Disable RemoteControl if it is unused. Many survey sites do not need the API after migration or one-time integration work.
  3. Restrict RemoteControl by IP. If the API is required, limit it at the web server or WAF to known integration hosts.
  4. Reduce survey token permissions. Keep invite/reminder workflows to trusted operators only.
  5. Rotate credentials after suspicious activity. Include LimeSurvey admins, database password, and integration API credentials.

When this becomes urgent

  • RemoteControl is enabled on a public site.
  • Multiple users or outside teams have token update permission.
  • Logs show RemoteControl calls you cannot map to a known integration.
  • The LimeSurvey database user can read or modify more schemas than the application needs.

Ping7 repair path

Ping7 can review LimeSurvey version and patch state, RemoteControl exposure, token permissions, web logs, database users, and post-fix cleanup. Start from CVE Repair and include your LimeSurvey version, whether RemoteControl is enabled, and the first suspicious timestamp if you have one.

References