PatchSiren cyber security CVE debrief
CVE-2026-46373 sqlfluff CVE debrief
CVE-2026-46373 is a high-severity vulnerability in SQLFluff, a modular SQL linter and auto-formatter. The vulnerability allows an untrusted user to submit a malicious query with deliberate excessive nesting to trigger a Denial of Service (DoS) through resource exhaustion. This issue affects deployments where untrusted users can provide SQL queries to be linted. The vulnerability has been patched in version 4.1.0.
- Vendor
- sqlfluff
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-12
Who should care
Users of SQLFluff, especially those who deploy it in environments where untrusted users can provide SQL queries to be linted.
Technical summary
SQLFluff is vulnerable to a Denial of Service (DoS) attack due to excessive nesting in SQL queries. An untrusted user can submit a malicious query to trigger resource exhaustion. The issue has been fixed in version 4.1.0.
Defensive priority
High
Recommended defensive actions
- Update SQLFluff to version 4.1.0 or later.
- Restrict access to SQLFluff to only trusted users.
- Monitor SQLFluff deployments for excessive resource usage.
Evidence notes
CVE-2026-46373 has a CVSS score of 7.5 and is classified as HIGH severity. The vulnerability was published on 2026-06-09T23:16:59.167Z and modified on 2026-06-12T14:10:04.250Z.
Official resources
-
CVE-2026-46373 CVE record
CVE.org
-
CVE-2026-46373 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-46373 was published on 2026-06-09T23:16:59.167Z and modified on 2026-06-12T14:10:04.250Z.