CVE-2026-40887
Unauthenticated SQL Injection in Vendure Shop API Allows Data Manipulation
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vendure | vendure | From 1.7.4 (inc) to 2.3.4 (exc) |
| vendure | vendure | From 3.0.0 (inc) to 3.5.7 (exc) |
| vendure | vendure | From 3.6.0 (inc) to 3.6.2 (exc) |
| vendure | vendure | to 2.3.4 (exc) |
| vendure | vendure | 2.3.4 |
| vendure | vendure | 3.5.7 |
| vendure | vendure | 3.6.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40887 is a critical SQL injection vulnerability in the Vendure Shop API, specifically in the @vendure/core npm package. It occurs because a user-controlled query string parameter, languageCode, is directly inserted into a raw SQL expression without proper parameterization or validation. This allows an attacker to inject and execute arbitrary SQL commands against the database.
The vulnerability affects all supported database backends including PostgreSQL, MySQL/MariaDB, and SQLite. It is exploitable without authentication on the Shop API, while the Admin API is also vulnerable but requires authentication.
The root cause is the use of JavaScript template literals to embed the languageCode value directly into a SQL CASE expression, which TypeORM cannot parameterize, combined with the lack of runtime validation on the languageCode input that originates from an HTTP query string parameter.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized execution of arbitrary SQL commands on the database. Because the attack requires no authentication and no user interaction, an attacker can exploit it remotely by crafting malicious requests.
The potential impacts include high confidentiality impact (exposure of sensitive data), and high availability impact (disruption or denial of service to the database). However, the vulnerability does not impact data integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or suspicious HTTP requests to the Vendure Shop API that include a crafted languageCode query parameter. Since the vulnerability arises from an unauthenticated SQL injection via the languageCode parameter, inspecting logs or network traffic for requests with unexpected or malicious languageCode values can help identify exploitation attempts.
You can use network monitoring or web server log analysis tools to search for requests containing the languageCode parameter with suspicious characters or SQL injection payloads.
- Example command to search web server logs for suspicious languageCode parameters (assuming logs are in access.log):
- grep -i 'languageCode=' access.log | grep -E "[;'\"\-\-\s]"
Additionally, you can use tools like curl or HTTP clients to test the endpoint by sending requests with crafted languageCode values to see if the system behaves unexpectedly or returns SQL errors.
- Example curl command to test for vulnerability:
- curl 'https://your-vendure-shop-api-endpoint/path?languageCode=invalid' -v
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade Vendure to one of the patched versions: 2.3.4, 3.5.7, or 3.6.2, which include fixes that convert the vulnerable SQL interpolation into parameterized queries and validate the languageCode input.
If immediate upgrading is not possible, apply the provided hotfix that modifies the RequestContextService.getLanguageCode method to validate the languageCode input using a strict regex. This validation only allows alphanumeric characters, underscores, and hyphens, rejecting any invalid input and falling back to the channel's default language code, thereby blocking injection payloads.
- Apply the hotfix by replacing the getLanguageCode method with the following code snippet:
- private getLanguageCode(req: Request, channel: Channel): LanguageCode | undefined {
- const queryLanguageCode = req.query?.languageCode as string | undefined;
- const isValidFormat = queryLanguageCode && /^[a-zA-Z0-9_-]+$/.test(queryLanguageCode);
- return (
- (isValidFormat ? (queryLanguageCode as LanguageCode) : undefined) ?? channel.defaultLanguageCode ?? this.configService.defaultLanguageCode
- );
- }
This hotfix prevents malicious input from reaching the SQL query and reduces the risk of exploitation until a full upgrade can be performed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the Vendure Shop API database, potentially exposing sensitive data.
Such unauthorized data access or manipulation could lead to violations of data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.
Therefore, if exploited, this vulnerability could compromise confidentiality and availability of data, impacting compliance with these regulations.