PatchSiren cyber security CVE debrief
CVE-2026-40906 electric-sql CVE debrief
CVE-2026-40906 is a critical SQL injection vulnerability in Electric Sync Service versions 1.1.12 to before 1.5.0. The vulnerability exists in the /v1/shape API's order_by parameter, allowing authenticated users to inject malicious SQL. This could enable them to read, write, and destroy the full contents of the underlying PostgreSQL database. The Electric SQL team has addressed this issue in version 1.5.0. Users are advised to upgrade to this version or later to mitigate the vulnerability. The CVE was published on April 21, 2026, and modified on June 30, 2026.
- Vendor
- electric-sql
- Product
- electric
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-21
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-21
- Advisory updated
- 2026-06-30
Who should care
Electric Sync Service users, administrators, and security teams should be aware of this vulnerability. Anyone using versions 1.1.12 to before 1.5.0 of the Electric Sync Service is at risk and should take immediate action to upgrade to version 1.5.0 or later. Additionally, security teams monitoring for potential SQL injection attacks should be aware of this vulnerability's potential impact.
Technical summary
The Electric Sync Service, a Postgres sync engine, is vulnerable to SQL injection in versions 1.1.12 to before 1.5.0. The vulnerability is located in the /v1/shape API's order_by parameter. An authenticated user can exploit this vulnerability by crafting malicious ORDER BY expressions, potentially leading to unauthorized access, modification, or destruction of the PostgreSQL database contents. The vulnerability's CVSS score is 9.9, indicating a critical severity level. The CWE associated with this vulnerability is CWE-89, Improper Neutralization of Special Elements used in an SQL Command.
Defensive priority
This vulnerability has a high defensive priority due to its critical severity score and potential impact. Affected users should prioritize upgrading to version 1.5.0 or later.
Recommended defensive actions
- Upgrade Electric Sync Service to version 1.5.0 or later.
- Review and monitor database activity for suspicious SQL queries.
- Implement additional security measures, such as input validation and sanitization, for the /v1/shape API.
- Consider compensating controls, such as Web Application Firewalls (WAFs), to detect and prevent SQL injection attacks.
- Regularly review and update the Electric Sync Service to ensure the latest security patches are applied.
Evidence notes
The CVE-2026-40906 vulnerability was published on April 21, 2026, and modified on June 30, 2026. The Electric SQL team has addressed this issue in version 1.5.0. The vulnerability has a CVSS score of 9.9 and is classified as CWE-89. The affected versions are 1.1.12 to before 1.5.0.
Official resources
-
CVE-2026-40906 CVE record
CVE.org
-
CVE-2026-40906 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Exploit, Issue Tracking
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.