Critical SQLi in Vendure: Unauthenticated Remote Code Execution Risk

The National Vulnerability Database has disclosed CVE-2026-40887, a critical SQL injection vulnerability in Vendure, an open-source headless commerce platform. This flaw, present in versions 1.7.4 up to 2.3.4, 3.5.7, and 3.6.2, allows unauthenticated attackers to execute arbitrary SQL commands against the underlying database via the Vendure Shop API. The vulnerability stems from direct interpolation of a user-controlled query string parameter into a raw SQL expression without proper sanitization or parameterization. All supported database backends—PostgreSQL, MySQL/MariaDB, and SQLite—are affected.

While the Admin API is also vulnerable, it requires prior authentication, significantly limiting its attack surface compared to the publicly exposed Shop API. The National Vulnerability Database indicates that patches are available in versions 2.3.4, 3.5.7, and 3.6.2. For organizations unable to upgrade immediately, Vendure offers a hotfix that validates the languageCode input using RequestContextService.getLanguageCode, effectively blocking injection payloads before they reach the database. This hotfix replaces the existing method in packages/core/src/service/helpers/request-context/request-context.service.ts.

This isn’t just a data breach risk; a successful SQL injection, especially unauthenticated, can lead to full system compromise, data exfiltration, or even remote code execution depending on the database configuration and underlying OS. For e-commerce platforms, this is catastrophic. Attackers will prioritize targets running vulnerable versions, looking for quick wins to gain persistence and extract sensitive customer and financial data. The CVSS score of 9.1 (Critical) underscores the severity and ease of exploitation.