CVE-2026-40342
Path Traversal in Firebird Engine Loader Enables Remote Code Execution
Publication date: 2026-04-17
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| firebirdsql | firebird | to 3.0.14 (exc) |
| firebirdsql | firebird | From 4.0.0 (inc) to 4.0.7 (exc) |
| firebirdsql | firebird | From 5.0.0 (inc) to 5.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Firebird to version 5.0.4, 4.0.7, or 3.0.14 or later, as these versions contain the fix for the issue.
Additionally, restrict CREATE FUNCTION privileges to trusted users only, since an authenticated user with this privilege can exploit the vulnerability.
Can you explain this vulnerability to me?
This vulnerability exists in Firebird, an open-source relational database management system, in versions prior to 5.0.4, 4.0.7, and 3.0.14. The issue arises because the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without properly filtering out path separators or '..' components.
An authenticated user who has CREATE FUNCTION privileges can exploit this by crafting a malicious ENGINE name that uses path traversal techniques to load an arbitrary shared library from anywhere on the filesystem.
When the shared library is loaded, its initialization code executes immediately as the server's operating system account, before Firebird validates the module. This leads to arbitrary code execution on the server.
The vulnerability has been fixed in Firebird versions 5.0.4, 4.0.7, and 3.0.14.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an authenticated user with CREATE FUNCTION privileges to execute arbitrary code on the server hosting the Firebird database.
An attacker could potentially load malicious shared libraries from anywhere on the filesystem, leading to full compromise of the server's operating system account.
This could result in unauthorized data access, data modification, disruption of database services, or further attacks on the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user with CREATE FUNCTION privileges to execute arbitrary code on the server with the server's OS account privileges. Such unauthorized code execution can lead to unauthorized access, data breaches, and potential manipulation or exfiltration of sensitive data stored in the Firebird database.
As a result, this vulnerability could negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Organizations using vulnerable versions of Firebird may face increased risk of non-compliance due to potential data compromise stemming from this security flaw.