SQL Injection Vulnerability in Daptin Fuzzy Search Processing

EXECUTIVE SUMMARY:

A critical security flaw involving improper neutralization of special elements in SQL commands has been identified within the fuzzy search functionality of the affected software. Exploitation of this vulnerability allows authenticated users, including those with minimal privileges, to bypass column validation mechanisms and execute arbitrary SQL queries against the underlying database. With a severity rating of high and an estimated CVSS score of 7.5, the flaw represents a significant risk to data confidentiality and integrity. The vulnerability stems from the direct interpolation of user-supplied parameters into raw SQL statements across multiple database drivers, enabling full database extraction.[emaillocker id="1283"]

CVE-2026-44349: This SQL injection vulnerability resides in the fuzzy search processing logic where unvalidated column names are interpolated into raw SQL templates. Affected components include the paginated resource finding module when handling specific search operators. An attacker can leverage this to bypass schema checks and execute boolean-blind extraction or tautology-based queries.

The exploitation risk is high as it permits any registered user to read the entire database content regardless of administrative oversight. The security of the database layer is compromised due to the lack of a whitelist-based validation for column identifiers during specific query operations. Failure to sanitize these inputs before they reach the database driver sinks creates a direct path for unauthorized data access. Implementing rigorous input validation and adhering to prepared statement protocols is essential to prevent such injection attacks and maintain a secure environment.

RECOMMENDATION:

• We recommend you to update go/github.com/daptin/daptin to version 0.11.5.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-pwqg-q8pg-pp6r