PostgreSQL
CVE-2026-33142
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
The fix for GHSA-p5g2-jm85-8g35 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation to three other query construction paths in StatementGenerator. The toSortStatement, toSelectStatement, and toGroupByStatement methods accept user-controlled object keys from API request bodies and interpolate them as ClickHouse Identifier parameters without verifying they correspond to actual model columns.
ClickHouse Identifier parameters are substituted directly into queries without escaping, so an attacker who can reach any analytics list or aggregate endpoint can inject arbitrary SQL through crafted sort, select, or groupBy keys.
Details
Root cause
StatementGenerator.ts has four methods that iterate over user-provided object keys to build SQL:
| Method | Validates keys? |
|---|---|
toWhereStatement (line 292) | Yes - calls this.model.getTableColumn(key) |
toSortStatement (line 467) | No |
toSelectStatement (line 483) | No |
toGroupByStatement (line 451) | No |
In Statement.ts, when a value passed to the SQL tagged template is a string, it receives the Identifier data type (line 40). Per ClickHouse documentation, Identifier parameters are substituted directly into the query without quoting or escaping. This is correct for trusted column names but unsafe for user input.
Input flow
BaseAnalyticsAPI.ts deserializes sort, select, and groupBy directly from req.body (lines 239-253) and passes them to the service layer without column validation:
sort = JSONFunctions.deserialize(req.body["sort"]) as Sort<AnalyticsDataModel>;
select = JSONFunctions.deserialize(req.body["select"]) as Select<AnalyticsDataModel>;
groupBy = JSONFunctions.deserialize(req.body["groupBy"]) as GroupBy<AnalyticsDataModel>;Affected endpoints
Any endpoint backed by BaseAnalyticsAPI.getList() or BaseAnalyticsAPI.getAggregate() - this includes analytics queries for logs, metrics, spans, and exceptions.
Impact
An authenticated user can inject arbitrary ClickHouse SQL through crafted column names in sort, select, or groupBy request parameters. This allows reading, modifying, or deleting analytics data (logs, metrics, traces) stored in ClickHouse. PostgreSQL data is not affected (separate query path).
Suggested Fix
Add the same getTableColumn() validation already present in toWhereStatement to the three unvalidated methods:
// toSortStatement, toSelectStatement, toGroupByStatement
for (const key in sort) {
if (!this.model.getTableColumn(key)) {
throw new BadDataException(`Unknown column: ${key}`);
}
// existing logic
}This matches the pattern used in the GHSA-p5g2 fix for _aggregateBy and the existing toWhereStatement validation.
AnalysisAI
SQL injection in PostgreSQL StatementGenerator allows authenticated attackers to execute arbitrary SQL commands through unsanitized object keys in sort, select, and groupBy parameters on analytics endpoints. The vulnerability exists because column name validation was incompletely applied during a previous fix, leaving three query construction methods vulnerable to direct identifier injection. An attacker with valid credentials can exploit this to access or manipulate database contents without requiring user interaction.
Technical ContextAI
This vulnerability affects the OneUptime npm package (pkg:npm/oneuptime), specifically in the StatementGenerator.ts component that constructs ClickHouse SQL queries for analytics data. The root cause is CWE-89 (SQL Injection) stemming from improper neutralization of special elements in SQL commands. ClickHouse Identifier parameters are substituted directly into queries without escaping or quoting, which is safe only for trusted column names. While the earlier GHSA-p5g2-jm85-8g35 fix added validation to the _aggregateBy method via getTableColumn() checks, the same protection was not applied to toSortStatement, toSelectStatement, and toGroupByStatement methods. These methods receive deserialized user input from req.body through BaseAnalyticsAPI.ts without column validation, creating multiple injection vectors. The vulnerability is isolated to ClickHouse analytics data; PostgreSQL data paths remain unaffected as they use separate query construction logic.
RemediationAI
Apply the suggested fix by adding getTableColumn() validation to the three unvalidated methods (toSortStatement, toSelectStatement, toGroupByStatement) in StatementGenerator.ts, matching the pattern already implemented in toWhereStatement and the previous GHSA-p5g2-jm85-8g35 fix for _aggregateBy. The fix involves iterating over user-provided keys and throwing a BadDataException for any column name not recognized by the model via this.model.getTableColumn(key) before constructing SQL statements. Monitor the OneUptime GitHub repository at https://github.com/OneUptime/oneuptime and security advisory at https://github.com/OneUptime/oneuptime/security/advisories/GHSA-gcg3-c5p2-cqgg for official patches. As an interim workaround, implement additional input validation at the API layer to restrict sort, select, and groupBy parameters to a whitelist of known-safe column names, or restrict access to analytics endpoints to only highly trusted authenticated users until patches can be deployed. Review ClickHouse audit logs for suspicious analytics queries containing unusual column names or SQL syntax in sort, select, or groupBy parameters.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-gcg3-c5p2-cqgg