CVE-2026-28438
SQL Injection in CocoIndex Doris Connector Allows Schema Manipulation
Publication date: 2026-03-06
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cocoindex | cocoindex | to 0.3.34 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28438 is a vulnerability in the CocoIndex Doris target connector prior to version 0.3.34. The issue occurs because the connector does not verify the configured table name before creating certain SQL statements, specifically ALTER TABLE commands. If the table name is provided by an untrusted upstream source, this lack of validation allows an attacker to perform SQL injection during schema changes.
This vulnerability is classified under CWE-89, which involves improper neutralization of special elements used in SQL commands. Essentially, malicious input can alter the intended SQL behavior, potentially compromising the database.
The vulnerability was fixed in version 0.3.34 by adding validation to ensure that table names are valid identifiers and rejecting invalid names immediately.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform SQL injection attacks during schema changes if they can control or influence the table name used by the Doris target connector in CocoIndex.
SQL injection can lead to unauthorized data access, data manipulation, or corruption, potentially compromising the integrity and confidentiality of your database.
Since the vulnerability occurs during schema changes, it might also disrupt normal database operations or cause unexpected behavior in the application relying on CocoIndex.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves SQL injection through unvalidated table names in the Doris target connector of CocoIndex prior to version 0.3.34. Detection involves checking if the system is using a vulnerable version and whether untrusted inputs are used as table names in ALTER TABLE SQL statements.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation or presence of this vulnerability, you can:'}, {'type': 'list_item', 'content': 'Verify the CocoIndex version in use; versions prior to 0.3.34 are vulnerable.'}, {'type': 'list_item', 'content': 'Audit logs or SQL query logs for ALTER TABLE statements with suspicious or unexpected table names that could indicate injection attempts.'}, {'type': 'list_item', 'content': 'Use network monitoring tools to capture SQL traffic and inspect for malformed or injected SQL commands targeting the Doris connector.'}, {'type': 'paragraph', 'content': 'Specific commands depend on your environment, but example commands include:'}, {'type': 'list_item', 'content': 'On Linux systems, check the installed CocoIndex version: `cocoindex --version` or check package manager info.'}, {'type': 'list_item', 'content': "Search logs for suspicious ALTER TABLE commands: `grep -i 'ALTER TABLE' /path/to/cocoindex/logs/*`"}, {'type': 'list_item', 'content': "Use network packet capture tools like tcpdump or Wireshark to filter SQL traffic: `tcpdump -i eth0 -A port 3306 | grep 'ALTER TABLE'` (adjust port/interface as needed)."}] [2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade CocoIndex to version 0.3.34 or later, where the vulnerability has been fixed by validating table names before constructing SQL statements.
If upgrading immediately is not possible, apply the following workarounds:
- Ensure that all table names used in the Doris target connector configuration come from trusted sources.
- Implement input validation or sanitization on any upstream systems or inputs that provide table names to prevent malicious or malformed values.
- Monitor logs and network traffic for suspicious ALTER TABLE commands that could indicate exploitation attempts.