PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49498 nationalsecurityagency CVE debrief

CVE-2026-49498 is a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase in Ghidra 11.0 before 12.1. The vulnerability fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in PasswordChange network messages to escalate to PostgreSQL superuser privileges and gain full database control.

Vendor
nationalsecurityagency
Product
ghidra
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-11
Advisory published
2026-06-10
Advisory updated
2026-06-11

Who should care

Users of Ghidra 11.0 before 12.1, administrators of systems where Ghidra is installed, and security teams monitoring for potential SQL injection attacks.

Technical summary

The vulnerability is located in the changePassword() method of PostgresFunctionDatabase. It fails to properly escape double quotes in usernames, allowing authenticated attackers to inject SQL commands. This can be exploited via crafted username parameters in PasswordChange network messages.

Defensive priority

HIGH

Recommended defensive actions

  • Update Ghidra to version 12.1 or later.
  • Restrict access to the Ghidra application to trusted users only.
  • Monitor network traffic for suspicious PasswordChange messages.

Evidence notes

CVE-2026-49498 has a CVSS score of 8.7 and is classified as HIGH severity. The vulnerability is confirmed to exist in Ghidra versions 11.0 and below, up to but not including 12.1.

Official resources

CVE-2026-49498 was published on [2026-06-10T14:16:34.777Z](https://www.cve.org/CVERecord?id=CVE-2026-49498) and modified on [2026-06-11T19:50:42.617Z](https://nvd.nist.gov/vuln/detail/CVE-2026-49498).