Skip to content

Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)

Critical severity GitHub Reviewed Published Apr 16, 2026 in saltcorn/saltcorn • Updated Apr 27, 2026

Package

npm @saltcorn/server (npm)

Affected versions

< 1.4.6
>= 1.5.0-beta.0, < 1.5.6
>= 1.6.0-alpha.0, < 1.6.0-beta.5

Patched versions

1.4.6
1.5.6
1.6.0-beta.5

Description

Summary

A critical SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend.

Details

The issue affects the mobile-sync endpoints:

  • POST /sync/load_changes
  • POST /sync/deletes

According to the provided analysis, user-controlled values from the request body are interpolated directly into SQL template literals without parameterization, type enforcement, or sanitization. In particular, req.body.syncInfos[tableName].maxLoadedId is embedded into SQL in getSyncRows() and timestamp-derived values are similarly interpolated in getDelRows().

Relevant vulnerable code paths include:

  • packages/server/routes/sync.jsgetSyncRows()
    • branch using where data_tbl."${db.sqlsanitize(pkName)}" > ${syncInfo.maxLoadedId}
    • branch using and info_tbl.ref > ${syncInfo.maxLoadedId}
  • packages/server/routes/sync.jsgetDelRows()
    • timestamp expressions built from request-controlled values and inserted into SQL
  • packages/server/routes/sync.js/load_changes route handler
    • request body fields are passed into the SQL-building functions without validation or safe binding

The root cause is that values are treated as trusted SQL fragments rather than bound parameters. While db.sqlsanitize() is used for identifiers elsewhere, that does not protect interpolated values and is not intended to prevent value-based SQL injection. The report notes there is no parseInt(), numeric validation, or prepared-statement binding before these values are concatenated into the query string.

This means a normal authenticated user can escape the intended query logic and execute arbitrary SQL in the context of the application database. The provided evidence demonstrates successful extraction of user records and schema information through the vulnerable sync route, confirming that the injection is practically exploitable.

PoC

Based on the provided report, the issue can be reproduced by authenticating as a normal user, sending a crafted request to the affected sync endpoint, and placing a malicious SQL expression into the sync metadata field that is later interpolated into the backend query. Successful exploitation returns attacker-selected database contents in the sync response.

Impact

  • Type: SQL injection
  • Who is impacted: Any Saltcorn deployment exposing the affected mobile-sync routes to authenticated users
  • Security impact: An authenticated low-privilege user may exfiltrate the full database, including password hashes, configuration secrets, application data, and schema information; on some backends, the same flaw may also permit writes, schema changes, or destructive operations
  • Attack preconditions: The attacker needs a valid authenticated account with access to at least one readable table through the sync feature
  • Privilege impact: The issue allows escalation from normal user access to database-wide compromise

References

@glutamate glutamate published to saltcorn/saltcorn Apr 16, 2026
Published to the GitHub Advisory Database Apr 16, 2026
Reviewed Apr 16, 2026
Published by the National Vulnerability Database Apr 24, 2026
Last updated Apr 27, 2026

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(11th percentile)

Weaknesses

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. Learn more on MITRE.

CVE ID

CVE-2026-41478

GHSA ID

GHSA-jp74-mfrx-3qvh

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.