GHSA-JP74-MFRX-3QVH

Vulnerability from github – Published: 2026-04-16 22:51 – Updated: 2026-04-27 16:20
VLAI?
Summary
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)
Details

Summary

A critical SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend.

Details

The issue affects the mobile-sync endpoints:

  • POST /sync/load_changes
  • POST /sync/deletes

According to the provided analysis, user-controlled values from the request body are interpolated directly into SQL template literals without parameterization, type enforcement, or sanitization. In particular, req.body.syncInfos[tableName].maxLoadedId is embedded into SQL in getSyncRows() and timestamp-derived values are similarly interpolated in getDelRows().

Relevant vulnerable code paths include:

  • packages/server/routes/sync.jsgetSyncRows()
  • branch using where data_tbl."${db.sqlsanitize(pkName)}" > ${syncInfo.maxLoadedId}
  • branch using and info_tbl.ref > ${syncInfo.maxLoadedId}
  • packages/server/routes/sync.jsgetDelRows()
  • timestamp expressions built from request-controlled values and inserted into SQL
  • packages/server/routes/sync.js/load_changes route handler
  • request body fields are passed into the SQL-building functions without validation or safe binding

The root cause is that values are treated as trusted SQL fragments rather than bound parameters. While db.sqlsanitize() is used for identifiers elsewhere, that does not protect interpolated values and is not intended to prevent value-based SQL injection. The report notes there is no parseInt(), numeric validation, or prepared-statement binding before these values are concatenated into the query string.

This means a normal authenticated user can escape the intended query logic and execute arbitrary SQL in the context of the application database. The provided evidence demonstrates successful extraction of user records and schema information through the vulnerable sync route, confirming that the injection is practically exploitable.

PoC

Based on the provided report, the issue can be reproduced by authenticating as a normal user, sending a crafted request to the affected sync endpoint, and placing a malicious SQL expression into the sync metadata field that is later interpolated into the backend query. Successful exploitation returns attacker-selected database contents in the sync response.

Impact

  • Type: SQL injection
  • Who is impacted: Any Saltcorn deployment exposing the affected mobile-sync routes to authenticated users
  • Security impact: An authenticated low-privilege user may exfiltrate the full database, including password hashes, configuration secrets, application data, and schema information; on some backends, the same flaw may also permit writes, schema changes, or destructive operations
  • Attack preconditions: The attacker needs a valid authenticated account with access to at least one readable table through the sync feature
  • Privilege impact: The issue allows escalation from normal user access to database-wide compromise
Severity ?
9.9 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@saltcorn/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@saltcorn/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0-beta.0"
            },
            {
              "fixed": "1.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@saltcorn/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0-alpha.0"
            },
            {
              "fixed": "1.6.0-beta.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T22:51:43Z",
    "nvd_published_at": "2026-04-24T21:16:19Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nA critical SQL injection vulnerability in Saltcorn\u2019s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. \n\n### Details\nThe issue affects the mobile-sync endpoints:\n\n- `POST /sync/load_changes`\n- `POST /sync/deletes`\n\nAccording to the provided analysis, user-controlled values from the request body are interpolated directly into SQL template literals without parameterization, type enforcement, or sanitization. In particular, `req.body.syncInfos[tableName].maxLoadedId` is embedded into SQL in `getSyncRows()` and timestamp-derived values are similarly interpolated in `getDelRows()`. \n\nRelevant vulnerable code paths include:\n\n- `packages/server/routes/sync.js` \u2014 `getSyncRows()`\n  - branch using `where data_tbl.\"${db.sqlsanitize(pkName)}\" \u003e ${syncInfo.maxLoadedId}`\n  - branch using `and info_tbl.ref \u003e ${syncInfo.maxLoadedId}`\n- `packages/server/routes/sync.js` \u2014 `getDelRows()`\n  - timestamp expressions built from request-controlled values and inserted into SQL\n- `packages/server/routes/sync.js` \u2014 `/load_changes` route handler\n  - request body fields are passed into the SQL-building functions without validation or safe binding\n\nThe root cause is that values are treated as trusted SQL fragments rather than bound parameters. While `db.sqlsanitize()` is used for identifiers elsewhere, that does not protect interpolated values and is not intended to prevent value-based SQL injection. The report notes there is no `parseInt()`, numeric validation, or prepared-statement binding before these values are concatenated into the query string. \n\nThis means a normal authenticated user can escape the intended query logic and execute arbitrary SQL in the context of the application database. The provided evidence demonstrates successful extraction of user records and schema information through the vulnerable sync route, confirming that the injection is practically exploitable. \n\n### PoC\nBased on the provided report, the issue can be reproduced by authenticating as a normal user, sending a crafted request to the affected sync endpoint, and placing a malicious SQL expression into the sync metadata field that is later interpolated into the backend query. Successful exploitation returns attacker-selected database contents in the sync response. \n\n### Impact\n- **Type:** SQL injection\n- **Who is impacted:** Any Saltcorn deployment exposing the affected mobile-sync routes to authenticated users\n- **Security impact:** An authenticated low-privilege user may exfiltrate the full database, including password hashes, configuration secrets, application data, and schema information; on some backends, the same flaw may also permit writes, schema changes, or destructive operations\n- **Attack preconditions:** The attacker needs a valid authenticated account with access to at least one readable table through the sync feature\n- **Privilege impact:** The issue allows escalation from normal user access to database-wide compromise",
  "id": "GHSA-jp74-mfrx-3qvh",
  "modified": "2026-04-27T16:20:03Z",
  "published": "2026-04-16T22:51:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41478"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/saltcorn/saltcorn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.