{"id":"CVE-2026-40906","summary":"Electric: SQL Injection via ORDER BY Parameter in Shape API","details":"Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.","aliases":["GHSA-h5rg-pxx7-r2hj"],"modified":"2026-07-16T03:31:04.034028714Z","published":"2026-04-21T20:05:51.819Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-89"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40906.json"},"references":[{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40906.json"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-40906"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40906.json"},{"type":"ADVISORY","url":"https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40906"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460291"},{"type":"FIX","url":"https://github.com/electric-sql/electric/pull/4081"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/electric-sql/electric","events":[{"introduced":"87dd51941282f75c9704900dc199f642b2ec8461"},{"fixed":"9864c0b85284d0acc37188608f925d0cdb4ddb23"}],"database_specific":{"cpe":"cpe:2.3:a:electric:sync-service:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"1.1.12"},{"fixed":"1.5.0"}],"source":["AFFECTED_FIELD","CPE_RANGE"]}}],"versions":["@electric-sql/y-electric@0.1.25","@electric-sql/react@1.0.28","@electric-sql/experimental@5.0.2","@electric-sql/client@1.4.2","@core/sync-service@1.3.4","@core/elixir-client@0.8.3","@core/sync-service@1.3.3","@core/sync-service@1.3.2","@core/elixir-client@0.8.2","@core/sync-service@1.3.1","@core/elixir-client@0.8.1","@core/electric-telemetry@0.1.3","@electric-sql/y-electric@0.1.24","@electric-sql/start@1.0.3","@electric-sql/react@1.0.27","@electric-sql/experimental@5.0.1","@electric-sql/client@1.4.1","@core/sync-service@1.3.0","@electric-sql/y-electric@0.1.23","@electric-sql/react@1.0.26","@electric-sql/experimental@5.0.0","@electric-sql/client@1.4.0","@core/sync-service@1.2.11","@electric-sql/start@1.0.2","@electric-sql/start@1.0.1","@electric-sql/start@1.0.0","@electric-sql/y-electric@0.1.22","@electric-sql/react@1.0.25","@electric-sql/experimental@4.0.1","@electric-sql/client@1.3.1","@core/sync-service@1.2.10","@core/electric-telemetry@0.1.2","@electric-sql/y-electric@0.1.21","@electric-sql/react@1.0.24","@electric-sql/experimental@4.0.0","@electric-sql/client@1.3.0","@core/sync-service@1.2.9","@electric-sql/y-electric@0.1.20","@electric-sql/react@1.0.23","@electric-sql/experimental@3.0.2","@electric-sql/client@1.2.2","@electric-sql/y-electric@0.1.19","@electric-sql/react@1.0.22","@electric-sql/experimental@3.0.1","@electric-sql/docs@0.0.4","@electric-sql/client@1.2.1","@core/electric-telemetry@0.1.1","@core/sync-service@1.2.8","@electric-sql/y-electric@0.1.18","@electric-sql/react@1.0.21","@electric-sql/experimental@3.0.0","@electric-sql/client@1.2.0","@core/sync-service@1.2.7","@electric-sql/y-electric@0.1.17","@electric-sql/react@1.0.20","@electric-sql/experimental@2.0.5","@electric-sql/client@1.1.5","@core/sync-service@1.2.6","@core/elixir-client@0.8.0","@electric-sql/y-electric@0.1.16","@electric-sql/react@1.0.19","@electric-sql/experimental@2.0.4","@electric-sql/client@1.1.4","@core/sync-service@1.2.5","@electric-sql/y-electric@0.1.15","@electric-sql/react@1.0.18","@electric-sql/experimental@2.0.3","@electric-sql/client@1.1.3","@core/sync-service@1.2.4","@electric-sql/y-electric@0.1.14","@electric-sql/react@1.0.17","@electric-sql/experimental@2.0.2","@electric-sql/client@1.1.2","@core/sync-service@1.2.3","@core/sync-service@1.2.2","@electric-sql/y-electric@0.1.13","@electric-sql/react@1.0.16","@electric-sql/experimental@2.0.1","@electric-sql/client@1.1.1","@core/sync-service@1.2.1","@electric-sql/y-electric@0.1.12","@electric-sql/react@1.0.15","@electric-sql/experimental@2.0.0","@electric-sql/client@1.1.0","@core/sync-service@1.2.0","@electric-sql/y-electric@0.1.11","@electric-sql/react@1.0.14","@electric-sql/experimental@1.0.14","@electric-sql/client@1.0.14","@electric-sql/y-electric@0.1.10","@electric-sql/react@1.0.13","@electric-sql/experimental@1.0.13","@electric-sql/docs@0.0.3","@electric-sql/client@1.0.13","@core/sync-service@1.1.14","tanstack-start-db-electric-starter@0.1.0","@electric-sql/y-electric@0.1.9","@electric-sql/react@1.0.12","@electric-sql/experimental@1.0.12","@electric-sql/client@1.0.12","@core/sync-service@1.1.13","@electric-sql/client@1.0.11","@electric-sql/y-electric@0.1.8","@electric-sql/react@1.0.11","@electric-sql/experimental@1.0.11","@core/sync-service@1.1.12","@core/elixir-client@0.7.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40906.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}