EXECUTIVE SUMMARY:
CVE-2026-40342 with a CVSS score of 10.0 is a critical-severity vulnerability in Firebird, a long-standing relational database, that allows attackers to execute arbitrary code with the highest system privileges. The flaw, located within the engine/plugin loader, is a classic Path Traversal (CWE-22) issue that affects Firebird 5.0.3 and earlier, including versions 4.0.6 and 3.0.13. When a user executes a CREATE FUNCTION statement using the ENGINE keyword, Firebird attempts to load the specified plugin by building a file path, which an attacker can manipulate to point the database to a malicious shared library anywhere on the filesystem. One of the most alarming aspects of this bug is that the initialization code of the loaded library runs immediately upon loading, before Firebird has a chance to check if the file is a valid plugin, allowing the attacker's code to execute inside the server process with the privileges of the OS account running the Firebird process. Any user with the permissions to run CREATE FUNCTION can trigger this exploit, granting the attacker code execution and enabling them to read sensitive databases, move laterally through the network, or establish permanent persistence on the host. This vulnerability has devastating potential impact and is particularly alarming due to its ease of exploitation and the absence of allowlist or configuration options to lock it down in affected versions.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-40342 with a CVSS score of 10.0 is a critical-severity vulnerability in Firebird, a long-standing relational database, that allows attackers to execute arbitrary code with the highest system privileges. The flaw, located within the engine/plugin loader, is a classic Path Traversal (CWE-22) issue that affects Firebird 5.0.3 and earlier, including versions 4.0.6 and 3.0.13. When a user executes a CREATE FUNCTION statement using the ENGINE keyword, Firebird attempts to load the specified plugin by building a file path, which an attacker can manipulate to point the database to a malicious shared library anywhere on the filesystem. One of the most alarming aspects of this bug is that the initialization code of the loaded library runs immediately upon loading, before Firebird has a chance to check if the file is a valid plugin, allowing the attacker's code to execute inside the server process with the privileges of the OS account running the Firebird process. Any user with the permissions to run CREATE FUNCTION can trigger this exploit, granting the attacker code execution and enabling them to read sensitive databases, move laterally through the network, or establish permanent persistence on the host. This vulnerability has devastating potential impact and is particularly alarming due to its ease of exploitation and the absence of allowlist or configuration options to lock it down in affected versions.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/firebird-database-rce-cve-2026-40342-path-traversal/