PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40906 electric-sql CVE debrief

CVE-2026-40906 is a critical SQL injection vulnerability in Electric Sync Service versions 1.1.12 to before 1.5.0. The vulnerability exists in the /v1/shape API's order_by parameter, allowing authenticated users to inject malicious SQL. This could enable them to read, write, and destroy the full contents of the underlying PostgreSQL database. The Electric SQL team has addressed this issue in version 1.5.0. Users are advised to upgrade to this version or later to mitigate the vulnerability. The CVE was published on April 21, 2026, and modified on June 30, 2026.

Vendor
electric-sql
Product
electric
CVSS
CRITICAL 9.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-21
Original CVE updated
2026-06-30
Advisory published
2026-04-21
Advisory updated
2026-06-30

Who should care

Electric Sync Service users, administrators, and security teams should be aware of this vulnerability. Anyone using versions 1.1.12 to before 1.5.0 of the Electric Sync Service is at risk and should take immediate action to upgrade to version 1.5.0 or later. Additionally, security teams monitoring for potential SQL injection attacks should be aware of this vulnerability's potential impact.

Technical summary

The Electric Sync Service, a Postgres sync engine, is vulnerable to SQL injection in versions 1.1.12 to before 1.5.0. The vulnerability is located in the /v1/shape API's order_by parameter. An authenticated user can exploit this vulnerability by crafting malicious ORDER BY expressions, potentially leading to unauthorized access, modification, or destruction of the PostgreSQL database contents. The vulnerability's CVSS score is 9.9, indicating a critical severity level. The CWE associated with this vulnerability is CWE-89, Improper Neutralization of Special Elements used in an SQL Command.

Defensive priority

This vulnerability has a high defensive priority due to its critical severity score and potential impact. Affected users should prioritize upgrading to version 1.5.0 or later.

Recommended defensive actions

  • Upgrade Electric Sync Service to version 1.5.0 or later.
  • Review and monitor database activity for suspicious SQL queries.
  • Implement additional security measures, such as input validation and sanitization, for the /v1/shape API.
  • Consider compensating controls, such as Web Application Firewalls (WAFs), to detect and prevent SQL injection attacks.
  • Regularly review and update the Electric Sync Service to ensure the latest security patches are applied.

Evidence notes

The CVE-2026-40906 vulnerability was published on April 21, 2026, and modified on June 30, 2026. The Electric SQL team has addressed this issue in version 1.5.0. The vulnerability has a CVSS score of 9.9 and is classified as CWE-89. The affected versions are 1.1.12 to before 1.5.0.

Official resources

This article is AI-assisted and based on the supplied source corpus.