What is the CVSS score of CVE-2026-46374?

CVE-2026-46374 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Which versions of SQLFluff are affected by CVE-2026-46374?

SQLFluff (open-source SQL linting library) versions prior to 4.2.0 are vulnerable to denial-of-service attacks that can disable application services through malicious SQL queries.. A patch is available.

SQLFluff CVE-2026-46374

HIGH

Uncontrolled Resource Consumption (CWE-400)

2026-05-19 https://github.com/sqlfluff/sqlfluff

GHSA-73jc-5mrq-prw7

Denial Of Service

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 19, 2026 - 20:30 vuln.today

Analysis Generated

May 19, 2026 - 20:30 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 pypi packages depend on sqlfluff (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.2.0.

DescriptionNVD

Impact

In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion.

Patches

Versions 4.2.0 and up contain a configurable parse node limit, which is enabled by default, to prevent this manner of exploit.

Credit

Ori Nakar from Imperva Threat Research Team.

AnalysisAI

Denial of service in SQLFluff parser (pip/sqlfluff) versions prior to 4.2.0 allows remote unauthenticated attackers to exhaust CPU and memory resources by submitting an excessively long or malicious SQL query for linting. The flaw affects any application that exposes the SQLFluff parser to untrusted input. …

RemediationAI

Within 24 hours: Identify all SQLFluff deployments and determine which systems process external or untrusted SQL input. Within 7 days: Implement compensating controls for high-risk instances and restrict parser access to authenticated, internal users only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-46374 vulnerability details – vuln.today

Back

SQLFluff CVE-2026-46374

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

Impact

Patches

Credit

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code