CVE-2026-46421
Received
Received - Intake
Malicious Package in SAP Cloud Application Programming Model
Vulnerability report for CVE-2026-46421, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-15
Last updated on: 2026-07-15
Assigner: GitHub, Inc.
Description
Description
The SAP Cloud Application Programming Model is a tool for building enterprise-grade cloud applications, and cap-js/cds-dbs is the monorepo for SQL database services for that tool. On April 29, 2026, compromised versions of `@cap-js/[email protected]`, `@cap-js/[email protected]`, and `@cap-js/[email protected]` were published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised. User should upgrade to `@cap-js/sqlite` >= 2.4.0, `@cap-js/postgres` >= 2.3.0, `@cap-js/db-service` >= 2.11.0. If a compromised version was ever installed, rotate all affected credentials. No known workarounds are available.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cap-js | sqlite | From 2.4.0 (inc) |
| cap-js | postgres | From 2.3.0 (inc) |
| cap-js | db-service | From 2.11.0 (inc) |
| sap | mbt | 1.2.48 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-506 | The product contains code that appears to be malicious in nature. |