CVE-2026-40906

Received Received - Intake

Error-Based SQL Injection in ElectricSQL /v1/shape API

Publication date: 2026-04-21

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-21

Last Modified

2026-04-22

Generated

2026-06-16

AI Q&A

2026-04-22

EPSS Evaluated

2026-06-15

NVD

CVE-2026-40906

Affected Vendors & Products

Vendor	Product	Version / Range
electricsql	electric	From 1.1.12 (inc) to 1.5.0 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Compliance Impact

The vulnerability allows any authenticated user to perform error-based SQL injection via the order_by parameter, enabling them to read, write, and destroy the full contents of the underlying PostgreSQL database.

Such unauthorized access and manipulation of sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls to ensure confidentiality, integrity, and availability of personal and health information.

Therefore, this vulnerability poses a significant risk to compliance with these regulations due to potential data breaches and loss of data integrity.

Executive Summary

This vulnerability exists in Electric, a Postgres sync engine, specifically in versions from 1.1.12 to before 1.5.0. The issue is with the order_by parameter in the ElectricSQL /v1/shape API, which is susceptible to error-based SQL injection. This means that an authenticated user can craft malicious ORDER BY expressions that exploit this flaw.

Through this vulnerability, an attacker can read, write, and destroy the entire contents of the underlying PostgreSQL database.

The vulnerability was fixed in version 1.5.0.

Impact Analysis

If exploited, this vulnerability allows any authenticated user to perform unauthorized actions on the database, including reading sensitive data, modifying data, and deleting data.

Such actions can lead to data breaches, loss of data integrity, and availability issues, severely impacting the security and reliability of your system.

Given the high CVSS score of 9.9, the impact is critical.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade ElectricSQL to version 1.5.0 or later, where the issue with the order_by parameter in the /v1/shape API has been fixed.

Detection Guidance

This vulnerability can be detected by attempting to exploit the SQL injection flaw in the `/v1/shape` API's `order_by` parameter with crafted payloads that trigger error-based SQL injection responses.

A common detection method is to send a POST request to the shape subscription endpoint with an `order_by` parameter containing a payload such as `CAST((SELECT version()) AS int) DESC`. If the system is vulnerable, the response will be a 500 error containing the PostgreSQL version string in the error message.

Example command using curl to test for the vulnerability:

curl -X POST https://your-electricsql-server/v1/shape -H 'Content-Type: application/json' -d '{"order_by": "CAST((SELECT version()) AS int) DESC"}'

If the response contains database error messages revealing internal information (such as the PostgreSQL version), this indicates the presence of the vulnerability.

Note that this requires authentication since the vulnerability affects authenticated users.

Hi! I’m here to help you understand CVE-2026-40906. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-40906

Error-Based SQL Injection in ElectricSQL /v1/shape API

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart