CVE-2026-40342
Received Received - Intake
Path Traversal in Firebird Engine Loader Enables Remote Code Execution

Publication date: 2026-04-17

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40342
EUVD
EUVD-2026-23496
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
firebirdsql firebird to 3.0.14 (exc)
firebirdsql firebird From 4.0.0 (inc) to 4.0.7 (exc)
firebirdsql firebird From 5.0.0 (inc) to 5.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated user with CREATE FUNCTION privileges to execute arbitrary code on the server with the server's OS account privileges. Such unauthorized code execution can lead to unauthorized access, data breaches, and potential manipulation or exfiltration of sensitive data stored in the Firebird database.

As a result, this vulnerability could negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Organizations using vulnerable versions of Firebird may face increased risk of non-compliance due to potential data compromise stemming from this security flaw.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Firebird to version 5.0.4, 4.0.7, or 3.0.14 or later, as these versions contain the fix for the issue.

Additionally, restrict CREATE FUNCTION privileges to trusted users only, since an authenticated user with this privilege can exploit the vulnerability.

Executive Summary

This vulnerability exists in Firebird, an open-source relational database management system, in versions prior to 5.0.4, 4.0.7, and 3.0.14. The issue arises because the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without properly filtering out path separators or '..' components.

An authenticated user who has CREATE FUNCTION privileges can exploit this by crafting a malicious ENGINE name that uses path traversal techniques to load an arbitrary shared library from anywhere on the filesystem.

When the shared library is loaded, its initialization code executes immediately as the server's operating system account, before Firebird validates the module. This leads to arbitrary code execution on the server.

The vulnerability has been fixed in Firebird versions 5.0.4, 4.0.7, and 3.0.14.

Impact Analysis

This vulnerability can have severe impacts because it allows an authenticated user with CREATE FUNCTION privileges to execute arbitrary code on the server hosting the Firebird database.

An attacker could potentially load malicious shared libraries from anywhere on the filesystem, leading to full compromise of the server's operating system account.

This could result in unauthorized data access, data modification, disruption of database services, or further attacks on the network.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40342. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart