PowerSync Service CVE-2026-30870
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 14 npm packages depend on @powersync/service-core (7 direct, 7 indirect)
- 21 npm packages depend on @powersync/service-sync-rules (11 direct, 10 indirect)
Ecosystem-wide dependent count for version 1.20.0 and other introduced versions.
DescriptionGitHub Advisory
PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users. Depending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted. Only queries that gate synchronization using subqueries without partitioning the result set are affected. This vulnerability is fixed in 1.20.1.
AnalysisAI
PowerSync Service 1.20.0 with config.edition: 3 fails to enforce subquery filters in sync streams, allowing authenticated users to access data that should be restricted based on their permissions. The vulnerability affects only configurations using unpartitioned subqueries for synchronization gating and is resolved in version 1.20.1. No patch is currently available for affected deployments.
Technical ContextAI
Classified as CWE-285 (Improper Authorization). PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users. Depending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted. Only queries that gate synchronization using subqueries without partitioning the result set are affected. This vulnerability is fixed in
Affected ProductsAI
Fixed in: 1
RemediationAI
Fixed in version 1.20.1.. Restrict network access to the affected service where possible.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-q6wc-xx4m-92fj