CVE-2026-29953
SQL Injection in SchemaHero 0.23.0 Postgres Column Parameter
Publication date: 2026-03-30
Last updated on: 2026-04-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| schemahero | schemahero | to 0.23.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29953 is a high-severity SQL injection vulnerability in SchemaHero version 0.23.0 and earlier. It occurs due to improper handling of column definitions in Table Custom Resource Definitions (CRDs), specifically in the processing of default values and column names for PostgreSQL and MySQL databases.
For PostgreSQL, default values are concatenated directly into SQL statements without proper escaping, allowing attackers to inject SQL expressions such as functions like current_user and version(). For MySQL, similar issues exist where default values are concatenated without escaping, and column names wrapped in backticks are not properly escaped, enabling attackers to inject additional columns by prematurely closing backticks and appending malicious SQL.
The vulnerability can be exploited by attackers with low privileges who have permission to create Table CRDs in Kubernetes environments using SchemaHero. No user interaction is required, and if the immediateDeploy flag is set to true, malicious Table CRDs are deployed automatically, facilitating exploitation.
How can this vulnerability impact me? :
This vulnerability can lead to several serious impacts including leakage of sensitive information, such as the current database user and version, through injected PostgreSQL functions.
Attackers can inject arbitrary additional columns with malicious default values into MySQL tables, tamper with database table structures, manipulate data, and potentially escalate privileges.
Because the attack vector is network-based with low complexity and requires only low privileges, exploitation can occur without user interaction, especially when automatic deployment of Table CRDs is enabled.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for the creation and deployment of malicious Table Custom Resource Definitions (CRDs) in Kubernetes clusters using SchemaHero up to version 0.23.0.
Specifically, you can look for Table CRDs that include suspicious default values containing PostgreSQL functions like current_user or version(), or MySQL column names with unescaped backticks that could indicate injection attempts.
Commands to help detect exploitation attempts include:
- Use kubectl to list Table CRDs and inspect their specifications for suspicious default values or column names: kubectl get tables -A -o yaml | grep -E "current_user|version|`"
- Check SchemaHero controller logs for SQL statements containing injected functions or malformed column definitions.
- Query the affected PostgreSQL or MySQL databases to identify unexpected columns or default values that reveal sensitive information, for example: SELECT column_name, column_default FROM information_schema.columns WHERE table_name = '<target_table>';
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Avoid using SchemaHero versions up to and including 0.23.0; upgrade to a patched version once available.
- Disable or restrict permissions to create Table CRDs in Kubernetes to prevent attackers from deploying malicious CRDs.
- Set the Database.spec.immediateDeploy flag to false to require manual approval before deploying Table CRDs.
- Implement input validation and escaping in your SchemaHero deployment: escape single quotes in default values by replacing ' with '', escape backticks in MySQL column names by doubling them, and whitelist allowed characters in column names and default values.
- Monitor logs and database schemas for signs of injection or unauthorized schema changes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-29953 allows attackers to execute arbitrary SQL code via crafted Table CRDs in SchemaHero, leading to leakage of sensitive information such as database user details and version information.
This leakage and potential tampering with database schemas and data integrity could result in unauthorized access to sensitive personal or protected health information, thereby impacting compliance with standards and regulations like GDPR and HIPAA that require protection of such data.
The vulnerability enables attackers with minimal privileges to compromise database confidentiality and integrity, which may lead to violations of data protection requirements mandated by these regulations.