CVE-2026-44635
Deferred Deferred - Pending Action
JSON Path Injection in Kysely TypeScript Query Builder

Publication date: 2026-05-27

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters (., [, ], *, **, ?). When attacker-controlled input flows into eb.ref(col, '->$').key(input) or .at(input) β€” including type-safe code where the JSON column is shaped like Record<string, T> so K extends string is the inferred type β€” every dot becomes a path-leg separator, letting an attacker traverse from the intended key into sibling and child fields the developer never meant to expose. The result is read access (and, in update statements, write access) to JSON sub-fields outside the intended scope across MySQL, PostgreSQL ->$/->>$, and SQLite. This vulnerability is fixed in 0.28.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-01
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44635
EUVD
EUVD-2026-32623
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
kysely kysely to 0.28.16 (inc)
kysely kysely 0.28.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows attackers to read and modify JSON sub-fields beyond the intended scope, potentially exposing sensitive data such as tokens, Social Security Numbers (SSNs), or admin flags.

Such unauthorized access and modification of sensitive personal or protected health information can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over access to and integrity of sensitive data.

Therefore, exploitation of this vulnerability could result in violations of these regulations due to improper data exposure and unauthorized data changes.

Executive Summary

This vulnerability affects Kysely, a type-safe TypeScript SQL query builder, in versions from 0.26.0 to 0.28.16. The issue lies in the DefaultQueryCompiler.visitJSONPathLeg function, which does not escape JSON-path metacharacters such as ., [, ], *, **, and ?. When attacker-controlled input is passed into certain functions like eb.ref(col, '->$').key(input) or .at(input), each dot in the input is treated as a path-leg separator. This allows an attacker to traverse from the intended JSON key into sibling and child fields that the developer did not intend to expose.

As a result, the attacker can gain read access, and in update statements, write access to JSON sub-fields outside the intended scope across databases like MySQL, PostgreSQL, and SQLite. This vulnerability was fixed in version 0.28.17.

Impact Analysis

This vulnerability can allow an attacker to access and potentially modify JSON data fields that were not meant to be accessible. Specifically, the attacker can read sensitive data from sibling or child JSON fields beyond the intended key, and in some cases, write or update those fields.

Such unauthorized access and modification can lead to data leakage, data integrity issues, and potential compromise of application logic or user data stored in JSON columns within supported databases like MySQL, PostgreSQL, and SQLite.

Mitigation Strategies

To mitigate this vulnerability, upgrade Kysely to version 0.28.17 or later where the issue is fixed.

Detection Guidance

This vulnerability can be detected by monitoring for usage of the Kysely SQL query builder versions 0.26.0 to 0.28.16 in your environment, especially where JSON-path methods `.key()` or `.at()` are used with attacker-controlled input.

Detection involves identifying queries or logs where JSON-path metacharacters such as dots (.), brackets ([ ]), asterisks (*), double asterisks (**), or question marks (?) appear in inputs to `.key()` or `.at()` methods, which could indicate attempted path traversal.

Since this is a code-level vulnerability, network detection might include searching for suspicious payloads in application logs or network traffic that contain JSON-path metacharacters used in these methods.

Suggested commands to detect potential exploitation attempts could include grepping application logs or source code for vulnerable method usage patterns, for example:

  • grep -rE '\.key\(|\.at\(' /path/to/source/code
  • grep -rE '[\.\[\]\*\?]' /path/to/application/logs

Additionally, monitoring database query logs for JSON-path expressions containing unexpected metacharacters in keys may help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44635. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart