CVE-2026-29953
Received Received - Intake
SQL Injection in SchemaHero 0.23.0 Postgres Column Parameter

Publication date: 2026-03-30

Last updated on: 2026-04-02

Assigner: MITRE

Description
SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the columnAsInsert function in file plugins/postgres/lib/column.go.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29953
EUVD
EUVD-2026-17131
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
schemahero schemahero to 0.23.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29953 is a high-severity SQL injection vulnerability in SchemaHero version 0.23.0 and earlier. It occurs due to improper handling of column definitions in Table Custom Resource Definitions (CRDs), specifically in the processing of default values and column names for PostgreSQL and MySQL databases.

For PostgreSQL, default values are concatenated directly into SQL statements without proper escaping, allowing attackers to inject SQL expressions such as functions like current_user and version(). For MySQL, similar issues exist where default values are concatenated without escaping, and column names wrapped in backticks are not properly escaped, enabling attackers to inject additional columns by prematurely closing backticks and appending malicious SQL.

The vulnerability can be exploited by attackers with low privileges who have permission to create Table CRDs in Kubernetes environments using SchemaHero. No user interaction is required, and if the immediateDeploy flag is set to true, malicious Table CRDs are deployed automatically, facilitating exploitation.

Impact Analysis

This vulnerability can lead to several serious impacts including leakage of sensitive information, such as the current database user and version, through injected PostgreSQL functions.

Attackers can inject arbitrary additional columns with malicious default values into MySQL tables, tamper with database table structures, manipulate data, and potentially escalate privileges.

Because the attack vector is network-based with low complexity and requires only low privileges, exploitation can occur without user interaction, especially when automatic deployment of Table CRDs is enabled.

Detection Guidance

Detection of this vulnerability involves monitoring for the creation and deployment of malicious Table Custom Resource Definitions (CRDs) in Kubernetes clusters using SchemaHero up to version 0.23.0.

Specifically, you can look for Table CRDs that include suspicious default values containing PostgreSQL functions like current_user or version(), or MySQL column names with unescaped backticks that could indicate injection attempts.

Commands to help detect exploitation attempts include:

  • Use kubectl to list Table CRDs and inspect their specifications for suspicious default values or column names: kubectl get tables -A -o yaml | grep -E "current_user|version|`"
  • Check SchemaHero controller logs for SQL statements containing injected functions or malformed column definitions.
  • Query the affected PostgreSQL or MySQL databases to identify unexpected columns or default values that reveal sensitive information, for example: SELECT column_name, column_default FROM information_schema.columns WHERE table_name = '<target_table>';
Mitigation Strategies

Immediate mitigation steps include:

  • Avoid using SchemaHero versions up to and including 0.23.0; upgrade to a patched version once available.
  • Disable or restrict permissions to create Table CRDs in Kubernetes to prevent attackers from deploying malicious CRDs.
  • Set the Database.spec.immediateDeploy flag to false to require manual approval before deploying Table CRDs.
  • Implement input validation and escaping in your SchemaHero deployment: escape single quotes in default values by replacing ' with '', escape backticks in MySQL column names by doubling them, and whitelist allowed characters in column names and default values.
  • Monitor logs and database schemas for signs of injection or unauthorized schema changes.
Compliance Impact

CVE-2026-29953 allows attackers to execute arbitrary SQL code via crafted Table CRDs in SchemaHero, leading to leakage of sensitive information such as database user details and version information.

This leakage and potential tampering with database schemas and data integrity could result in unauthorized access to sensitive personal or protected health information, thereby impacting compliance with standards and regulations like GDPR and HIPAA that require protection of such data.

The vulnerability enables attackers with minimal privileges to compromise database confidentiality and integrity, which may lead to violations of data protection requirements mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29953. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart