CVE-2026-30870
Improper Access Control in PowerSync Service Sync Streams
Publication date: 2026-03-10
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| powersync | service | to 1.20.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30870 is a vulnerability in PowerSync Service version 1.20.0 related to improper authorization during data synchronization.
When using new sync streams configured with config.edition: 3, certain subquery filters that are supposed to restrict which data is synced to users are ignored.
This means authenticated users could sync data they should not have access to, depending on the sync stream configuration.
Only queries that gate synchronization using subqueries without partitioning the result set are affected, while other sync configurations are not impacted.
The root cause is improper authorization checks where the system fails to enforce access restrictions correctly during synchronization.
This vulnerability was fixed in version 1.20.1 by upgrading and restarting the service.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized data synchronization, allowing authenticated users to access and sync data they should not be permitted to see.
The impact is primarily on confidentiality, as sensitive data could be exposed to unauthorized users.
There is no impact on data integrity or availability.
Because the attack vector is network-based and requires low privileges but no user interaction, an attacker with some level of access could exploit this to gain unauthorized data access.
However, no data is exposed without authentication.
The issue is resolved by upgrading to version 1.20.1 and restarting the service; any erroneously synced data will be automatically removed from user devices upon reconnection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs in PowerSync Service version 1.20.0 when using sync streams configured with config.edition: 3, where certain subquery filters are ignored, allowing unauthorized data synchronization.
To detect if your system is affected, check the version of your PowerSync Service and the configuration of your sync streams.
- Verify the PowerSync Service version by running a command to check the installed version, for example: `powersync-service --version` or checking the service metadata.
- Inspect your sync stream configurations to see if any use `config.edition: 3`.
- Review sync queries that use subqueries in WHERE clauses without partitioning the result set, such as queries filtering sensitive tables with subqueries involving user authorization.
There are no specific network or system commands provided to detect exploitation of this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the PowerSync Service to version 1.20.1 or later, where this vulnerability is fixed.
After upgrading, restart the PowerSync Service to apply the fix.
No reprocessing of sync streams is needed, as erroneously synced data will be automatically removed from user devices upon reconnection.
If you are using a self-hosted instance, ensure you perform the upgrade and restart promptly. PowerSync Cloud instances have already been updated.