Skip to main content

SQLFluff CVE-2026-46374

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-19 https://github.com/sqlfluff/sqlfluff GHSA-73jc-5mrq-prw7
7.5
CVSS 3.1 · Vendor: https://github.com/sqlfluff/sqlfluff
Share

Severity by source

Vendor (https://github.com/sqlfluff/sqlfluff) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (https://github.com/sqlfluff/sqlfluff) · only source for this CVE.

CVSS VectorVendor: https://github.com/sqlfluff/sqlfluff

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 19, 2026 - 20:30 vuln.today
Analysis Generated
May 19, 2026 - 20:30 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on sqlfluff (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.2.0.

DescriptionCVE.org

Impact

In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion.

Patches

Versions 4.2.0 and up contain a configurable parse node limit, which is enabled by default, to prevent this manner of exploit.

Credit

Ori Nakar from Imperva Threat Research Team.

AnalysisAI

Denial of service in SQLFluff parser (pip/sqlfluff) versions prior to 4.2.0 allows remote unauthenticated attackers to exhaust CPU and memory resources by submitting an excessively long or malicious SQL query for linting. The flaw affects any application that exposes the SQLFluff parser to untrusted input. No public exploit identified at time of analysis, but the issue was responsibly reported by Imperva Threat Research.

Technical ContextAI

SQLFluff is a widely used Python-based SQL linter and formatter distributed via PyPI (pkg:pip/sqlfluff) that parses SQL into an abstract syntax tree before applying lint rules. The root cause maps to CWE-400 (Uncontrolled Resource Consumption): the parser previously had no upper bound on the number of parse nodes it would generate for a single input query, so an adversarially crafted long query could force the parser to allocate an unbounded tree, consuming CPU cycles and memory until the host process becomes unresponsive. The vendor fix introduces a configurable parse node limit, enabled by default starting in 4.2.0, that aborts parsing once the node ceiling is reached.

RemediationAI

Upgrade SQLFluff to vendor-released patch 4.2.0 or later (pip install --upgrade 'sqlfluff>=4.2.0'), which ships the configurable parse node limit enabled by default; see the advisory at https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-73jc-5mrq-prw7 for details. If immediate upgrade is not feasible, compensating controls include refusing to lint queries above a strict byte/length threshold at the application boundary before handing them to SQLFluff (trade-off: legitimately large generated SQL may be rejected), running the linter in a sandboxed worker with hard CPU and memory cgroup limits and short wall-clock timeouts so a runaway parse can be killed without affecting the host (trade-off: added operational complexity), and restricting the linting endpoint to authenticated internal users until the upgrade is rolled out (trade-off: removes any public self-service linting feature).

Share

CVE-2026-46374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy