{"vulnerability": "CVE-2026-39196", "sightings": [{"uuid": "acb837cb-a120-4f5f-9bb1-a64c20ccea60", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39196", "type": "seen", "source": "https://gist.github.com/pyuysig/423b15c69e3cd851c1e24c1312a0551a", "content": "# Vulnerability Report: CVE-2026-39196 - Vector - SQL injection in ClickHouse sink database template handling\n\n## Vulnerability Summary\nDatadog Vector 0.54.0 contains a SQL injection issue in the ClickHouse sink query construction path. When the clickhouse sink database setting is rendered from attacker-controlled event fields, an attacker can inject SQL syntax into the generated INSERT query and redirect writes to unintended ClickHouse tables accessible to the Vector credential.\n\n## Affected Product\n- **Vendor**: Datadog, Inc.\n- **Product**: Vector\n- **Version**: 0.54.0\n- **Vulnerable Component**: src/sinks/clickhouse/config.rs, src/sinks/clickhouse/sink.rs, src/sinks/clickhouse/service.rs, KeyPartitioner::partition, set_uri_query\n\n## Vulnerability Details\n- **Vulnerability Type**: SQL Injection\n- **Weakness**: CWE-89\n- **Attack Conditions**: Remote. The attacker must be able to submit events into a Vector pipeline whose ClickHouse sink uses a dynamic database template derived from attacker-controlled event fields.\n\n## Report Body\n\n### Summary\nDatadog Vector 0.54.0 contains a SQL injection issue in the ClickHouse sink query construction path. When the clickhouse sink database setting is rendered from attacker-controlled event fields, an attacker can inject SQL syntax into the generated INSERT query and redirect writes to unintended ClickHouse tables accessible to the Vector credential.\n\n### Details\nThe ClickHouse sink allows both table and database to be configured as templates. During partitioning, event data is rendered into the database and table values. The HTTP query builder then constructs INSERT INTO \"{database}\".\"{table}\" FORMAT ... but only escapes quotes in table, leaving database unescaped. URL encoding the HTTP query parameter does not neutralize SQL syntax after ClickHouse decodes the request.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-39196.\n3. Confirm the security result: A configuration such as database = \"{{ target_db }}\" and table = \"safe_table\" can be driven with target_db set to prod\".\"admin_logs\" FORMAT JSONEachRow -- . The resulting query changes the target from the configured table to prod.admin_logs if the target table schema and privileges permit it.\n\n### Impact\nIntegrity impact against downstream ClickHouse data. The demonstrated impact is attacker-controlled alteration of the INSERT target table and log or audit data poisoning, subject to sink configuration and ClickHouse permissions.\n\n## Remediation\nEscape or quote database identifiers using the same or stronger rules as table identifiers, or avoid SQL string construction from rendered templates. Consider validating rendered database and table identifiers against an allowlist.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:31.000000Z"}]}