PostgreSQL CVE-2026-42031

HIGH
SQL Injection (CWE-89)
2026-04-29 https://github.com/ckan/ckan GHSA-h7j7-3rx6-xvcg
PostgreSQL SQLi
Share

DescriptionNVD

Impact

A vulnerability in datastore_search_sql allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information.

Patches

The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5

Workarounds

Disable the DataStore SQL search (ckan.datastore.sqlsearch.enabled = false). Note that the SQL search is disabled by default.

More information

As stated in the documentation, this action function has protections that offer some safety but are not designed to prevent all types of abuse. Depending on the sensitivity of private data in a project's DataStore and the likelihood of abuse of a consuming site, a developer may choose to disable this action function or restrict its use with a IAuthFunctions plugin.

Credits

  • Reported by Arvin Shivram of Brutecat Security

Analysis

A vulnerability in datastore_search_sql allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information. The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5 Disable the DataStore SQL search (ckan.datastore.sqlsearch.enabled = false). …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-42031 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy