CVE-2026-40906
Error-Based SQL Injection in ElectricSQL /v1/shape API
Publication date: 2026-04-21
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| electricsql | electric | From 1.1.12 (inc) to 1.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the SQL injection flaw in the `/v1/shape` API's `order_by` parameter with crafted payloads that trigger error-based SQL injection responses.
A common detection method is to send a POST request to the shape subscription endpoint with an `order_by` parameter containing a payload such as `CAST((SELECT version()) AS int) DESC`. If the system is vulnerable, the response will be a 500 error containing the PostgreSQL version string in the error message.
Example command using curl to test for the vulnerability:
- curl -X POST https://your-electricsql-server/v1/shape -H 'Content-Type: application/json' -d '{"order_by": "CAST((SELECT version()) AS int) DESC"}'
If the response contains database error messages revealing internal information (such as the PostgreSQL version), this indicates the presence of the vulnerability.
Note that this requires authentication since the vulnerability affects authenticated users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any authenticated user to perform error-based SQL injection via the order_by parameter, enabling them to read, write, and destroy the full contents of the underlying PostgreSQL database.
Such unauthorized access and manipulation of sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls to ensure confidentiality, integrity, and availability of personal and health information.
Therefore, this vulnerability poses a significant risk to compliance with these regulations due to potential data breaches and loss of data integrity.
Can you explain this vulnerability to me?
This vulnerability exists in Electric, a Postgres sync engine, specifically in versions from 1.1.12 to before 1.5.0. The issue is with the order_by parameter in the ElectricSQL /v1/shape API, which is susceptible to error-based SQL injection. This means that an authenticated user can craft malicious ORDER BY expressions that exploit this flaw.
Through this vulnerability, an attacker can read, write, and destroy the entire contents of the underlying PostgreSQL database.
The vulnerability was fixed in version 1.5.0.
How can this vulnerability impact me? :
If exploited, this vulnerability allows any authenticated user to perform unauthorized actions on the database, including reading sensitive data, modifying data, and deleting data.
Such actions can lead to data breaches, loss of data integrity, and availability issues, severely impacting the security and reliability of your system.
Given the high CVSS score of 9.9, the impact is critical.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade ElectricSQL to version 1.5.0 or later, where the issue with the order_by parameter in the /v1/shape API has been fixed.