CVE-2026-40887

Received Received - Intake

Unauthenticated SQL Injection in Vendure Shop API Allows Data Manipulation

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description

Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. Versions 2.3.4, 3.5.7, and 3.6.2 contain a patch. For those who are unable to upgrade immediately, Vendure has made a hotfix available that uses `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query. The hotfix replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-21

Last Modified

2026-04-21

Generated

2026-06-16

AI Q&A

2026-04-22

EPSS Evaluated

2026-06-14

NVD

CVE-2026-40887

Affected Vendors & Products

Vendor	Product	Version / Range
vendure	vendure	From 1.7.4 (inc) to 2.3.4 (exc)
vendure	vendure	From 3.0.0 (inc) to 3.5.7 (exc)
vendure	vendure	From 3.6.0 (inc) to 3.6.2 (exc)
vendure	vendure	to 2.3.4 (exc)
vendure	vendure	2.3.4
vendure	vendure	3.5.7
vendure	vendure	3.6.2

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Compliance Impact

The vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the Vendure Shop API database, potentially exposing sensitive data.

Such unauthorized data access or manipulation could lead to violations of data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, if exploited, this vulnerability could compromise confidentiality and availability of data, impacting compliance with these regulations.

Executive Summary

CVE-2026-40887 is a critical SQL injection vulnerability in the Vendure Shop API, specifically in the @vendure/core npm package. It occurs because a user-controlled query string parameter, languageCode, is directly inserted into a raw SQL expression without proper parameterization or validation. This allows an attacker to inject and execute arbitrary SQL commands against the database.

The vulnerability affects all supported database backends including PostgreSQL, MySQL/MariaDB, and SQLite. It is exploitable without authentication on the Shop API, while the Admin API is also vulnerable but requires authentication.

The root cause is the use of JavaScript template literals to embed the languageCode value directly into a SQL CASE expression, which TypeORM cannot parameterize, combined with the lack of runtime validation on the languageCode input that originates from an HTTP query string parameter.

Impact Analysis

This vulnerability can have severe impacts including unauthorized execution of arbitrary SQL commands on the database. Because the attack requires no authentication and no user interaction, an attacker can exploit it remotely by crafting malicious requests.

The potential impacts include high confidentiality impact (exposure of sensitive data), and high availability impact (disruption or denial of service to the database). However, the vulnerability does not impact data integrity.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or suspicious HTTP requests to the Vendure Shop API that include a crafted languageCode query parameter. Since the vulnerability arises from an unauthenticated SQL injection via the languageCode parameter, inspecting logs or network traffic for requests with unexpected or malicious languageCode values can help identify exploitation attempts.

You can use network monitoring or web server log analysis tools to search for requests containing the languageCode parameter with suspicious characters or SQL injection payloads.

Example command to search web server logs for suspicious languageCode parameters (assuming logs are in access.log):
grep -i 'languageCode=' access.log | grep -E "[;'\"\-\-\s]"

Additionally, you can use tools like curl or HTTP clients to test the endpoint by sending requests with crafted languageCode values to see if the system behaves unexpectedly or returns SQL errors.

Example curl command to test for vulnerability:
curl 'https://your-vendure-shop-api-endpoint/path?languageCode=invalid' -v

Mitigation Strategies

The primary and recommended mitigation is to upgrade Vendure to one of the patched versions: 2.3.4, 3.5.7, or 3.6.2, which include fixes that convert the vulnerable SQL interpolation into parameterized queries and validate the languageCode input.

If immediate upgrading is not possible, apply the provided hotfix that modifies the RequestContextService.getLanguageCode method to validate the languageCode input using a strict regex. This validation only allows alphanumeric characters, underscores, and hyphens, rejecting any invalid input and falling back to the channel's default language code, thereby blocking injection payloads.

Apply the hotfix by replacing the getLanguageCode method with the following code snippet:
private getLanguageCode(req: Request, channel: Channel): LanguageCode | undefined {
const queryLanguageCode = req.query?.languageCode as string | undefined;
const isValidFormat = queryLanguageCode && /^[a-zA-Z0-9_-]+$/.test(queryLanguageCode);
return (
(isValidFormat ? (queryLanguageCode as LanguageCode) : undefined) ?? channel.defaultLanguageCode ?? this.configService.defaultLanguageCode
);
}

This hotfix prevents malicious input from reaching the SQL query and reduces the risk of exploitation until a full upgrade can be performed.

Hi! I’m here to help you understand CVE-2026-40887. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-40887

Unauthenticated SQL Injection in Vendure Shop API Allows Data Manipulation

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart