EXECUTIVE SUMMARY:
Two vulnerabilities have been found in the sqlfluff package. These vulnerabilities pertain to uncontrolled resource consumption and recursive stack overflow in the parser, which can be exploited by an attacker to cause a Denial of Service through resource exhaustion. This poses a significant business risk as it allows an attacker to disrupt the normal operation of an application, impacting productivity and potentially leading to financial losses. The severity of these vulnerabilities is high and requires immediate attention. CVE-2026-46374 with a CVSS score of 7.5 – An untrusted user can submit a malicious long query to trigger a Denial of Service through resource exhaustion in deployments where untrusted users can provide SQL queries to be linted. This can be achieved by exploiting the uncontrolled resource consumption in the SQLFluff parser. An attacker with the capability to submit malicious queries can cause a Denial of Service. CVE-2026-46373 with a CVSS score of 7.5 – An untrusted user can submit a malicious query with deliberate excessive nesting to trigger a Denial of Service through resource exhaustion in deployments where untrusted users can provide SQL queries to be linted. This can be achieved by exploiting the recursive stack overflow in the SQLFluff parser. An attacker with the capability to submit malicious queries can cause a Denial of Service.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Two vulnerabilities have been found in the sqlfluff package. These vulnerabilities pertain to uncontrolled resource consumption and recursive stack overflow in the parser, which can be exploited by an attacker to cause a Denial of Service through resource exhaustion. This poses a significant business risk as it allows an attacker to disrupt the normal operation of an application, impacting productivity and potentially leading to financial losses. The severity of these vulnerabilities is high and requires immediate attention. CVE-2026-46374 with a CVSS score of 7.5 – An untrusted user can submit a malicious long query to trigger a Denial of Service through resource exhaustion in deployments where untrusted users can provide SQL queries to be linted. This can be achieved by exploiting the uncontrolled resource consumption in the SQLFluff parser. An attacker with the capability to submit malicious queries can cause a Denial of Service. CVE-2026-46373 with a CVSS score of 7.5 – An untrusted user can submit a malicious query with deliberate excessive nesting to trigger a Denial of Service through resource exhaustion in deployments where untrusted users can provide SQL queries to be linted. This can be achieved by exploiting the recursive stack overflow in the SQLFluff parser. An attacker with the capability to submit malicious queries can cause a Denial of Service.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update sqlfluff to version 4.2.1 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-73jc-5mrq-prw7
https://github.com/advisories/GHSA-wmhf-fqc8-vxhh