CVE-2026-49498
Received Received - Intake
SQL Injection in Ghidra via PasswordChange Message

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description
Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in PasswordChange network messages to escalate to PostgreSQL superuser privileges and gain full database control.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-49498
EUVD
EUVD-2026-36007
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
national_security_agency ghidra to 12.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49498 is a SQL injection vulnerability in Ghidra versions 11.0 through 11.9, specifically in the changePassword() method of the PostgresFunctionDatabase class.

The vulnerability occurs because usernames are not properly escaped before being inserted into ALTER ROLE SQL statements, allowing attackers to inject malicious SQL commands.

An authenticated attacker can exploit this by sending specially crafted PasswordChange network messages with malicious username parameters, which can lead to privilege escalation to PostgreSQL superuser level and full control over the database.

Impact Analysis

Exploitation of this vulnerability can allow an attacker to escalate their privileges to PostgreSQL superuser, granting them complete control over the database.

This means the attacker can execute arbitrary SQL commands, potentially exposing sensitive data, modifying or deleting data, and even executing operating system commands through the database.

The attack requires only low privileges and no user interaction, making it relatively easy to exploit in a network environment.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for PasswordChange messages containing suspicious or crafted username parameters that may include SQL injection payloads.

Since the vulnerability involves SQL injection via the changePassword() method in the PostgresFunctionDatabase class, detection can involve inspecting logs or network captures for ALTER ROLE statements with unusual or unescaped double quotes in usernames.

Specific commands are not provided in the available resources, but general approaches include:

  • Using network packet capture tools (e.g., tcpdump, Wireshark) to filter for PasswordChange protocol messages.
  • Searching database logs for ALTER ROLE statements with suspicious username inputs containing unescaped double quotes or SQL syntax.
  • Employing SQL injection detection tools or scripts to analyze inputs to the changePassword() method if application logs are available.
Mitigation Strategies

The primary immediate mitigation step is to upgrade Ghidra to version 12.1 or later, where this SQL injection vulnerability has been patched.

Until the upgrade can be applied, restrict access to the PasswordChange network messages to trusted authenticated users only, as exploitation requires authentication.

Additionally, monitor and audit database ALTER ROLE commands for suspicious activity and consider applying network-level controls to limit exposure.

Compliance Impact

The vulnerability allows authenticated attackers to escalate privileges to PostgreSQL superuser level, gaining full control over the database. This can lead to unauthorized access, data exposure, and potential manipulation or deletion of sensitive information.

Such unauthorized access and data exposure could result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over personal and sensitive data to prevent breaches and ensure data integrity and confidentiality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49498. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart