Skip to main content

CKAN CVE-2026-42032

MEDIUM
Incorrect Authorization (CWE-863)
2026-04-30 https://github.com/ckan/ckan GHSA-cg4x-64p3-x59h
6.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.7 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
CVSS changed
May 13, 2026 - 19:22 NVD
6.7 (MEDIUM)
Source Code Evidence Fetched
Apr 30, 2026 - 18:00 vuln.today
Analysis Generated
Apr 30, 2026 - 18:00 vuln.today
Analysis Generated
Apr 30, 2026 - 17:45 vuln.today
CVE Published
Apr 30, 2026 - 17:34 nvd
MEDIUM

DescriptionGitHub Advisory

Impact

A vulnerability in datastore_search_sql allowed attackers to bypass authorization in order to gain access to private resources and PostgreSQL system information

Patches

The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5

Workarounds

Disable the DataStore SQL search (ckan.datastore.sqlsearch.enabled = false). Note that the SQL search is disabled by default.

More information

As stated in the documentation, this action function has protections that offer some safety but are not designed to prevent all types of abuse. Depending on the sensitivity of private data in your DataStore and the likelihood of abuse of your site, you may choose to disable this action function or restrict its use with a IAuthFunctions plugin.

Credits

  • Reported by Arvin Shivram of Brutecat Security

AnalysisAI

Authorization bypass in CKAN's datastore_search_sql function allows unauthenticated attackers to access private DataStore resources and extract PostgreSQL system information. CKAN versions prior to 2.10.10 and 2.11.0-2.11.4 are affected. The vulnerability exists in a feature that is disabled by default but can be enabled via configuration, limiting baseline exposure but creating significant risk for deployments that enable SQL search functionality.

Technical ContextAI

The vulnerability affects the datastore_search_sql action function in CKAN, a data management and API platform built on PostgreSQL. CWE-863 (Incorrect Authorization) indicates the root cause is insufficient access control validation when processing SQL search requests against private DataStore resources. The datastore_search_sql feature is designed to allow SQL queries against DataStore datasets but includes built-in protections that proved insufficient to prevent authorization bypass. Attackers leveraging this flaw can bypass intended authorization checks to query private data and extract metadata about PostgreSQL system tables, potentially revealing sensitive schema and configuration information.

RemediationAI

Apply vendor-released patch by upgrading to CKAN 2.10.10 or later (for 2.10.x users) or CKAN 2.11.5 or later (for 2.11.x users). If immediate patching is not feasible, disable the DataStore SQL search feature by setting ckan.datastore.sqlsearch.enabled = false in your CKAN configuration file; this workaround eliminates the vulnerability surface but removes SQL query functionality for DataStore users who rely on it. As an alternative or additional hardening measure, implement custom authorization logic using the IAuthFunctions plugin interface to restrict datastore_search_sql access to specific authenticated users or roles, allowing controlled enablement without full exposure. Verify the setting is applied correctly and test DataStore functionality after deployment. References: https://github.com/ckan/ckan/security/advisories/GHSA-cg4x-64p3-x59h, https://docs.ckan.org/en/2.10/changelog.html#v-2-10-10-2026-04-29, https://docs.ckan.org/en/2.11/changelog.html#v-2-11-5-2026-04-29.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-42032 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy