Skip to main content

SQLFluff CVE-2026-46373

HIGH
Uncontrolled Recursion (CWE-674)
2026-05-19 https://github.com/sqlfluff/sqlfluff GHSA-wmhf-fqc8-vxhh
7.5
CVSS 3.1 · Vendor: https://github.com/sqlfluff/sqlfluff
Share

Severity by source

Vendor (https://github.com/sqlfluff/sqlfluff) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (https://github.com/sqlfluff/sqlfluff) · only source for this CVE.

CVSS VectorVendor: https://github.com/sqlfluff/sqlfluff

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 19, 2026 - 20:31 vuln.today
Analysis Generated
May 19, 2026 - 20:31 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 pypi packages depend on sqlfluff (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.1.0.

DescriptionCVE.org

Impact

In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion.

Patches

Versions 4.1.0 and up contain a configurable recursion limit, which is enabled by default, to prevent this manner of exploit.

Credit

Ori Nakar from Imperva Threat Research Team.

AnalysisAI

Denial of service in SQLFluff (Python SQL linter/parser) below version 4.1.0 allows remote attackers to exhaust server resources by submitting SQL queries with deliberately excessive nesting, triggering uncontrolled recursion in the parser. The flaw (CWE-674) affects any application that accepts untrusted SQL input for linting and carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/A:H); no public exploit identified at time of analysis and EPSS data was not provided.

Technical ContextAI

SQLFluff is a popular open-source SQL linter and parser distributed via PyPI (pkg:pip/sqlfluff) and used in CI pipelines, IDE plugins, and hosted linting services. The underlying weakness is CWE-674 (Uncontrolled Recursion): the parser's grammar walks deeply nested SQL constructs recursively without a hard depth limit, so a query with deliberately deep nesting causes the Python call stack and CPU/memory to be consumed until the process crashes or becomes unresponsive. Because SQLFluff is often embedded as a library inside web services or developer-platform integrations that expose 'lint this query' endpoints, the recursion issue becomes a network-reachable DoS rather than a purely local one.

RemediationAI

Vendor-released patch: SQLFluff 4.1.0. Upgrade the sqlfluff PyPI package to 4.1.0 or later (for example, pip install --upgrade 'sqlfluff>=4.1.0') in any application, CI pipeline, or service that lints SQL, and pin the minimum version in requirements files and lockfiles to prevent regressions. Version 4.1.0 introduces a configurable recursion limit that is enabled by default; review the configuration if your workloads include legitimate deeply-nested SQL and tune the limit rather than disabling it. If immediate upgrade is impossible for services exposing linting to untrusted users, compensating controls include rejecting or truncating SQL inputs above a conservative byte/character size, capping parenthesis or keyword nesting depth at the application layer before invoking the parser, running the linter in an isolated subprocess with strict CPU and memory ulimits (so a crash does not affect the parent service), and rate-limiting the lint endpoint per source - each of these reduces availability risk but may reject some legitimate complex queries. Full advisory: https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-wmhf-fqc8-vxhh.

Share

CVE-2026-46373 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy