Bug 2460291 (CVE-2026-40906)
| Summary: | CVE-2026-40906 electric-sql: ElectricSQL: Critical data compromise and loss via SQL injection | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abarbaro, alizardo, jchui, jhe, ktsao, nboldt, oaljalju, psrna |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in ElectricSQL, a Postgres sync engine. An authenticated user could exploit an error-based SQL injection vulnerability in the `/v1/shape` API's `order_by` parameter. This flaw allows an attacker to read, write, and destroy the full contents of the underlying PostgreSQL database. Such an attack could lead to severe data compromise and potential data loss.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-04-21 21:02:36 UTC
|