PatchSiren cyber security CVE debrief

CVE-2026-44635 kysely-org CVE debrief

CVE-2026-44635 is a high-severity (CVSS 7.5) JSON path injection vulnerability in Kysely, a type-safe TypeScript SQL query builder. The issue affects versions 0.26.0 through 0.28.16, where the `DefaultQueryCompiler.visitJSONPathLeg` method fails to escape JSON-path metacharacters including `.`, `[`, `]`, `*`, `**`, and `?`. When attacker-controlled input flows into `eb.ref(col, '->$').key(input)` or `.at(input)` methods, these metacharacters are interpreted as path navigation operators rather than literal key names. This allows traversal from an intended JSON key into sibling and child fields, granting unauthorized read access and, in update statements, write access to JSON sub-fields outside the intended scope. The vulnerability impacts MySQL, PostgreSQL (using `->$/->>$` operators), and SQLite databases. Even type-safe code where the JSON column is typed as `Record<string, T>` is affected, as the `K extends string` type inference provides no runtime protection against malicious input containing path metacharacters. The vulnerability was fixed in version 0.28.17.

Vendor: kysely-org
Product: kysely
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Development teams using Kysely 0.26.0-0.28.16 with JSON column operations; security teams auditing TypeScript/Node.js applications; database administrators managing PostgreSQL, MySQL, or SQLite backends with JSON data types

Technical summary

The root cause is improper escaping of JSON-path metacharacters in Kysely's query compiler. The `visitJSONPathLeg` method in `DefaultQueryCompiler` passes user input directly into JSON path expressions without escaping, treating dots as path separators and brackets as array/index accessors. This enables attackers to traverse JSON structures arbitrarily. For example, input `foo.bar` intended as a single key name becomes a traversal to the `bar` property of `foo`. Similarly, `foo[0]` becomes array access, and wildcards `*` or `**` enable broad data extraction. The vulnerability is particularly insidious because Kysely's type system does not prevent this—when a JSON column is typed as `Record<string, T>`, the `key()` method accepts any string without compile-time warnings about metacharacters. The fix in 0.28.17 properly escapes these characters so they are treated as literal key names rather than path operators.

Defensive priority

HIGH

Recommended defensive actions

Upgrade Kysely to version 0.28.17 or later to remediate this vulnerability
Audit application code for uses of eb.ref().key() or .at() methods with user-controlled input
Implement input validation to reject or sanitize JSON-path metacharacters (. [ ] * ** ?) before passing to Kysely JSON path methods
Review database query logs for anomalous JSON path traversals that may indicate exploitation attempts
If immediate patching is not feasible, wrap user input in Kysely's sql.lit() or equivalent escaping mechanisms where available
Assess JSON column schemas to identify sensitive fields that could be exposed through path traversal

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The affected version range (0.26.0 to 0.28.16) and fix version (0.28.17) are explicitly stated in the CVE description. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. CWE classifications include CWE-22 (Path Traversal), CWE-89 (SQL Injection), CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), and CWE-1284 (Improper Validation of Specified Quantity in Input).

Official resources

The vulnerability was disclosed via GitHub Security Advisory GHSA-pv5w-4p9q-p3v2 and published to the NVD on 2026-05-27. No known exploitation in the wild has been reported at time of disclosure.