CKAN CVE-2026-42032
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Impact
A vulnerability in datastore_search_sql allowed attackers to bypass authorization in order to gain access to private resources and PostgreSQL system information
Patches
The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5
Workarounds
Disable the DataStore SQL search (ckan.datastore.sqlsearch.enabled = false). Note that the SQL search is disabled by default.
More information
As stated in the documentation, this action function has protections that offer some safety but are not designed to prevent all types of abuse. Depending on the sensitivity of private data in your DataStore and the likelihood of abuse of your site, you may choose to disable this action function or restrict its use with a IAuthFunctions plugin.
Credits
- Reported by Arvin Shivram of Brutecat Security
AnalysisAI
Authorization bypass in CKAN's datastore_search_sql function allows unauthenticated attackers to access private DataStore resources and extract PostgreSQL system information. CKAN versions prior to 2.10.10 and 2.11.0-2.11.4 are affected. The vulnerability exists in a feature that is disabled by default but can be enabled via configuration, limiting baseline exposure but creating significant risk for deployments that enable SQL search functionality.
Technical ContextAI
The vulnerability affects the datastore_search_sql action function in CKAN, a data management and API platform built on PostgreSQL. CWE-863 (Incorrect Authorization) indicates the root cause is insufficient access control validation when processing SQL search requests against private DataStore resources. The datastore_search_sql feature is designed to allow SQL queries against DataStore datasets but includes built-in protections that proved insufficient to prevent authorization bypass. Attackers leveraging this flaw can bypass intended authorization checks to query private data and extract metadata about PostgreSQL system tables, potentially revealing sensitive schema and configuration information.
RemediationAI
Apply vendor-released patch by upgrading to CKAN 2.10.10 or later (for 2.10.x users) or CKAN 2.11.5 or later (for 2.11.x users). If immediate patching is not feasible, disable the DataStore SQL search feature by setting ckan.datastore.sqlsearch.enabled = false in your CKAN configuration file; this workaround eliminates the vulnerability surface but removes SQL query functionality for DataStore users who rely on it. As an alternative or additional hardening measure, implement custom authorization logic using the IAuthFunctions plugin interface to restrict datastore_search_sql access to specific authenticated users or roles, allowing controlled enablement without full exposure. Verify the setting is applied correctly and test DataStore functionality after deployment. References: https://github.com/ckan/ckan/security/advisories/GHSA-cg4x-64p3-x59h, https://docs.ckan.org/en/2.10/changelog.html#v-2-10-10-2026-04-29, https://docs.ckan.org/en/2.11/changelog.html#v-2-11-5-2026-04-29.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-cg4x-64p3-x59h