Skip to main content

PostgreSQL CVE-2026-33142

HIGH
SQL Injection (CWE-89)
2026-03-18 https://github.com/OneUptime/oneuptime GHSA-gcg3-c5p2-cqgg
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 18, 2026 - 16:45 vuln.today
CVE Published
Mar 18, 2026 - 16:34 nvd
HIGH 8.1

DescriptionGitHub Advisory

The fix for GHSA-p5g2-jm85-8g35 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation to three other query construction paths in StatementGenerator. The toSortStatement, toSelectStatement, and toGroupByStatement methods accept user-controlled object keys from API request bodies and interpolate them as ClickHouse Identifier parameters without verifying they correspond to actual model columns.

ClickHouse Identifier parameters are substituted directly into queries without escaping, so an attacker who can reach any analytics list or aggregate endpoint can inject arbitrary SQL through crafted sort, select, or groupBy keys.

Details

Root cause

StatementGenerator.ts has four methods that iterate over user-provided object keys to build SQL:

MethodValidates keys?
toWhereStatement (line 292)Yes - calls this.model.getTableColumn(key)
toSortStatement (line 467)No
toSelectStatement (line 483)No
toGroupByStatement (line 451)No

In Statement.ts, when a value passed to the SQL tagged template is a string, it receives the Identifier data type (line 40). Per ClickHouse documentation, Identifier parameters are substituted directly into the query without quoting or escaping. This is correct for trusted column names but unsafe for user input.

Input flow

BaseAnalyticsAPI.ts deserializes sort, select, and groupBy directly from req.body (lines 239-253) and passes them to the service layer without column validation:

typescript
sort = JSONFunctions.deserialize(req.body["sort"]) as Sort<AnalyticsDataModel>;
select = JSONFunctions.deserialize(req.body["select"]) as Select<AnalyticsDataModel>;
groupBy = JSONFunctions.deserialize(req.body["groupBy"]) as GroupBy<AnalyticsDataModel>;

Affected endpoints

Any endpoint backed by BaseAnalyticsAPI.getList() or BaseAnalyticsAPI.getAggregate() - this includes analytics queries for logs, metrics, spans, and exceptions.

Impact

An authenticated user can inject arbitrary ClickHouse SQL through crafted column names in sort, select, or groupBy request parameters. This allows reading, modifying, or deleting analytics data (logs, metrics, traces) stored in ClickHouse. PostgreSQL data is not affected (separate query path).

Suggested Fix

Add the same getTableColumn() validation already present in toWhereStatement to the three unvalidated methods:

typescript
// toSortStatement, toSelectStatement, toGroupByStatement
for (const key in sort) {
  if (!this.model.getTableColumn(key)) {
    throw new BadDataException(`Unknown column: ${key}`);
  }
  // existing logic
}

This matches the pattern used in the GHSA-p5g2 fix for _aggregateBy and the existing toWhereStatement validation.

AnalysisAI

SQL injection in PostgreSQL StatementGenerator allows authenticated attackers to execute arbitrary SQL commands through unsanitized object keys in sort, select, and groupBy parameters on analytics endpoints. The vulnerability exists because column name validation was incompletely applied during a previous fix, leaving three query construction methods vulnerable to direct identifier injection. An attacker with valid credentials can exploit this to access or manipulate database contents without requiring user interaction.

Technical ContextAI

This vulnerability affects the OneUptime npm package (pkg:npm/oneuptime), specifically in the StatementGenerator.ts component that constructs ClickHouse SQL queries for analytics data. The root cause is CWE-89 (SQL Injection) stemming from improper neutralization of special elements in SQL commands. ClickHouse Identifier parameters are substituted directly into queries without escaping or quoting, which is safe only for trusted column names. While the earlier GHSA-p5g2-jm85-8g35 fix added validation to the _aggregateBy method via getTableColumn() checks, the same protection was not applied to toSortStatement, toSelectStatement, and toGroupByStatement methods. These methods receive deserialized user input from req.body through BaseAnalyticsAPI.ts without column validation, creating multiple injection vectors. The vulnerability is isolated to ClickHouse analytics data; PostgreSQL data paths remain unaffected as they use separate query construction logic.

RemediationAI

Apply the suggested fix by adding getTableColumn() validation to the three unvalidated methods (toSortStatement, toSelectStatement, toGroupByStatement) in StatementGenerator.ts, matching the pattern already implemented in toWhereStatement and the previous GHSA-p5g2-jm85-8g35 fix for _aggregateBy. The fix involves iterating over user-provided keys and throwing a BadDataException for any column name not recognized by the model via this.model.getTableColumn(key) before constructing SQL statements. Monitor the OneUptime GitHub repository at https://github.com/OneUptime/oneuptime and security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-gcg3-c5p2-cqgg for official patches. As an interim workaround, implement additional input validation at the API layer to restrict sort, select, and groupBy parameters to a whitelist of known-safe column names, or restrict access to analytics endpoints to only highly trusted authenticated users until patches can be deployed. Review ClickHouse audit logs for suspicious analytics queries containing unusual column names or SQL syntax in sort, select, or groupBy parameters.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-33142 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy