{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40906", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.767Z", "datePublished": "2026-04-21T20:05:51.819Z", "dateUpdated": "2026-04-22T13:47:15.546Z"}, "containers": {"cna": {"title": "Electric: SQL Injection via ORDER BY Parameter in Shape API", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj"}, {"name": "https://github.com/electric-sql/electric/pull/4081", "tags": ["x_refsource_MISC"], "url": "https://github.com/electric-sql/electric/pull/4081"}], "affected": [{"vendor": "electric-sql", "product": "electric", "versions": [{"version": ">= 1.1.12, < 1.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T20:05:51.819Z"}, "descriptions": [{"lang": "en", "value": "Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0."}], "source": {"advisory": "GHSA-h5rg-pxx7-r2hj", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:46:48.727407Z", "id": "CVE-2026-40906", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:47:15.546Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40906", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T13:46:48.727407Z"}}}], "references": [{"url": "https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:47:08.906Z"}}], "cna": {"title": "Electric: SQL Injection via ORDER BY Parameter in Shape API", "source": {"advisory": "GHSA-h5rg-pxx7-r2hj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "electric-sql", "product": "electric", "versions": [{"status": "affected", "version": ">= 1.1.12, < 1.5.0"}]}], "references": [{"url": "https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj", "name": "https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/electric-sql/electric/pull/4081", "name": "https://github.com/electric-sql/electric/pull/4081", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T20:05:51.819Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40906", "state": "PUBLISHED", "dateUpdated": "2026-04-22T13:47:15.546Z", "dateReserved": "2026-04-15T16:37:22.767Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T20:05:51.819Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0."}], "id": "CVE-2026-40906", "lastModified": "2026-04-22T14:17:02.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T21:16:44.697", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/electric-sql/electric/pull/4081"}, {"source": "security-advisories@github.com", "url": "https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "electric-sql: ElectricSQL: Critical data compromise and loss via SQL injection", "id": "2460291", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460291"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-89", "details": ["A flaw was found in ElectricSQL, a Postgres sync engine. An authenticated user could exploit an error-based SQL injection vulnerability in the `/v1/shape` API's `order_by` parameter. This flaw allows an attacker to read, write, and destroy the full contents of the underlying PostgreSQL database. Such an attack could lead to severe data compromise and potential data loss."], "name": "CVE-2026-40906", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh/backstage-community-plugin-catalog-backend-module-scaffolder-relation-processor", "product_name": "Red Hat Developer Hub"}], "public_date": "2026-04-21T20:05:51Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40906\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40906\nhttps://github.com/electric-sql/electric/pull/4081\nhttps://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.1.12,1.5.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "electric", "source": "cna", "vendor": "electric-sql"}, "product": "electric", "vendor": "electric-sql"}], "analysis": {"en": {"generated_at": "2026-04-22T06:42:02.931271+00:00", "value": {"mitigation_remediation": ["Upgrade Electric to version 1.5.0 or later where the vulnerability is fixed", "Restrict authenticated access to the /v1/shape endpoint to the minimum required roles and monitor logs for anomalous ORDER BY expressions", "If immediate upgrade is not feasible, temporarily block or remove the ORDER BY parameter from API calls and validate input against a whitelist"], "summary": {"action": "Immediate Patch", "impact": "Full database compromise via SQL injection"}, "threat_synthesis": {"affected_systems": "Electric PostgreSQL sync engine versions from 1.1.12 up to, but not including, 1.5.0 are affected.", "description_and_impact": "The vulnerability resides in the order_by parameter of the ElectricSQL /v1/shape API and permits error\u2011based SQL injection, allowing any authenticated user to execute arbitrary SQL against the underlying PostgreSQL database. This flaw makes it possible to read, modify, and delete all database contents, effectively giving full control over the database. The weakness is a classic SQL injection (CWE\u201189).", "risk_and_exploitability": "The CVSS score is 10, reflecting the catastrophic impact. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Attackers need authenticated access to the /v1/shape endpoint; once authenticated, they can craft ORDER BY expressions to trigger the injection, read or modify any table, and even delete data."}}}}, "created": "2026-04-22T06:45:10.878177+00:00", "updated": "2026-04-22T11:45:21.350691+00:00", "vendors": ["electric-sql", "electric-sql$PRODUCT$electric"]}