CVE-2026-32763
Received Received - Intake
SQL Injection in Kysely JSON Path Handling (MySQL, SQLite

Publication date: 2026-03-20

Last updated on: 2026-04-08

Assigner: GitHub, Inc.

Description
Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers — both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. Version 0.28.12 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-08
Generated
2026-06-19
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-18
NVD
CVE-2026-32763
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kysely kysely From 0.26.0 (inc) to 0.28.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32763 is a SQL injection vulnerability in the Kysely TypeScript SQL query builder versions up to 0.28.11. The issue occurs in the JSON path compilation for MySQL and SQLite dialects, where the function visitJSONPathLeg() appends user-controlled values from .key() and .at() methods directly into single-quoted JSON path string literals without escaping single quotes.

Because these values are not properly escaped, an attacker can break out of the JSON path string context and inject arbitrary SQL commands. This vulnerability contrasts with the sanitizeIdentifier() function, which correctly escapes delimiters for SQL identifiers but does not protect JSON path keys.

The vulnerability affects MySQL and SQLite dialects but not PostgreSQL, due to differences in JSON operator implementations and sanitization. The flaw allows attackers to execute unauthorized SQL queries, potentially extracting sensitive data or manipulating the database.

Impact Analysis

This vulnerability can allow an attacker to perform SQL injection attacks through JSON path keys in applications using Kysely with MySQL or SQLite. By injecting malicious SQL, an attacker could execute arbitrary SQL commands such as extracting sensitive data (e.g., admin passwords), modifying data, or disrupting application logic.

Because the injection occurs in JSON path expressions constructed from user input, applications that dynamically select JSON fields based on user input—such as search APIs, GraphQL resolvers, or admin panels exposing JSON column data—are particularly at risk.

The CVSS v3.1 score for this vulnerability is 8.2 (High), indicating a serious risk with network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on confidentiality.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing whether SQL injection is possible through JSON path keys in Kysely queries, specifically using the `.key()` method with malicious input.'}, {'type': 'paragraph', 'content': 'A practical approach is to construct a query that attempts to inject SQL commands via JSON path keys and observe if the injection executes or is sanitized.'}, {'type': 'paragraph', 'content': 'For example, a test command in a Node.js environment using Kysely might look like this:'}, {'type': 'list_item', 'content': "Use a malicious injection string such as: `first' as `identifier` first `identifier` from `identifier` people `identifier` ; drop table `identifier` person `identifier` -- `"}, {'type': 'list_item', 'content': "Build a query using `eb.ref('data', '->$').key(injection)` where `injection` is the malicious string."}, {'type': 'list_item', 'content': 'Execute the query and verify if the injected SQL commands (e.g., `DROP TABLE`) are executed or if the table still exists.'}, {'type': 'paragraph', 'content': 'If the injection executes, the system is vulnerable; if the injection is treated as a literal string and no destructive commands run, the vulnerability is mitigated.'}] [1, 3]

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the Kysely library to version 0.28.12 or later, where the vulnerability has been fixed by sanitizing string literals used in JSON path keys.

This fix ensures that user-controlled values passed to `.key()` and `.at()` methods are properly escaped, preventing SQL injection.

If upgrading is not immediately possible, avoid using dynamic user input in JSON path keys or implement strict validation and sanitization of such inputs to allow only safe characters.

Additionally, review your application code for any usage of JSON path keys in queries and apply manual escaping or parameterization where feasible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32763. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart