Threat Advisory

Critical SQL Injection Vulnerability in ElectricSQL API

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

The vulnerability CVE-2026-40906 is a critical SQL injection flaw identified in ElectricSQL, a PostgreSQL synchronization engine, specifically affecting versions before 1.5.0. It resides in the /v1/shape API where improper handling of the order_by parameter enables error-based SQL injection. This weakness allows an authenticated attacker to craft malicious SQL expressions that are directly executed by the backend database. As a result, attackers can gain full control over the underlying PostgreSQL database, including the ability to read, modify, and delete data. The flaw can also lead to privilege escalation and complete compromise of multi-tenant environments by bypassing tenant isolation controls. The vulnerability is associated with CWE-89 (SQL Injection) and carries a CVSS score of 10.0 (Critical). The attack requires low privileges and no user interaction, making exploitation highly feasible. Overall, this issue poses a significant risk to confidentiality, integrity, and availability of affected systems.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

The vulnerability CVE-2026-40906 is a critical SQL injection flaw identified in ElectricSQL, a PostgreSQL synchronization engine, specifically affecting versions before 1.5.0. It resides in the /v1/shape API where improper handling of the order_by parameter enables error-based SQL injection. This weakness allows an authenticated attacker to craft malicious SQL expressions that are directly executed by the backend database. As a result, attackers can gain full control over the underlying PostgreSQL database, including the ability to read, modify, and delete data. The flaw can also lead to privilege escalation and complete compromise of multi-tenant environments by bypassing tenant isolation controls. The vulnerability is associated with CWE-89 (SQL Injection) and carries a CVSS score of 10.0 (Critical). The attack requires low privileges and no user interaction, making exploitation highly feasible. Overall, this issue poses a significant risk to confidentiality, integrity, and availability of affected systems.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update ElectricSQL to version 1.5.0.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/electricsql-sql-injection-cve-2026-40906-database-security/

[/emaillocker]
crossmenu