What is the CVSS score of CVE-2026-41490?

CVE-2026-41490 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Dagster are affected by CVE-2026-41490?

Dagster orchestration platform versions before 1.13.1 contain a SQL injection vulnerability in dynamic partition handling that allows authenticated users with partition management permissions to…. A patch is available.

Dagster CVE-2026-41490

EUVD-2026-28368 HIGH

SQL Injection (CWE-89)

2026-05-07 GitHub_M

GHSA-mjw2-v2hm-wj34

SQLi

8.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Source Code Evidence Fetched

May 07, 2026 - 14:30 vuln.today

Analysis Generated

May 07, 2026 - 14:30 vuln.today

CVE Published

May 07, 2026 - 13:15 nvd

HIGH 8.3

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

67 pypi packages depend on dagster (65 direct, 2 indirect)
3 pypi packages depend on dagster-duckdb (3 direct, 0 indirect)
2 pypi packages depend on dagster-gcp (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.13.1 and other introduced versions.

DescriptionNVD

Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would execute against the target database backend under the I/O manager's credentials. Only deployments that use dynamic partitions are affected. Pipelines using static or time-window partitions are not impacted. This issue has been patched in Dagster Core version 1.13.1 and Dagster libraries version 0.29.1.

AnalysisAI

SQL injection in Dagster orchestration platform allows authenticated users with 'Add Dynamic Partitions' permission to execute arbitrary SQL against DuckDB, Snowflake, BigQuery, and DeltaLake databases via crafted partition keys. Affected I/O managers interpolate dynamic partition values into WHERE clauses without sanitization, enabling attackers to read or modify data under the I/O manager's database credentials. …

RemediationAI

Within 24 hours: identify all Dagster deployments using dynamic partitions and document current versions of Dagster Core and associated libraries. Within 7 days: upgrade Dagster Core to version 1.13.1 or later and upgrade dependent I/O manager libraries to version 0.29.1 or later; apply changes to staging environments first and validate partition operations. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41490 vulnerability details – vuln.today

Back