PatchSiren cyber security CVE debrief
CVE-2026-46374 sqlfluff CVE debrief
CVE-2026-46374 is a high-severity vulnerability in SQLFluff, a modular SQL linter and auto-formatter. The vulnerability allows an untrusted user to submit a malicious long query to trigger a Denial of Service (DoS) through resource exhaustion. This issue affects deployments where untrusted users can provide SQL queries to be linted. The vulnerability has been patched in version 4.2.0.
- Vendor
- sqlfluff
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-12
Who should care
Users of SQLFluff, especially those who deploy it in environments where untrusted users can provide SQL queries to be linted.
Technical summary
SQLFluff is vulnerable to a Denial of Service (DoS) attack through resource exhaustion. An untrusted user can submit a malicious long query to any application using the parser, causing a DoS. This issue has been patched in version 4.2.0.
Defensive priority
High
Recommended defensive actions
- Upgrade to SQLFluff version 4.2.0 or later.
- Restrict access to SQLFluff to only trusted users.
- Monitor SQLFluff deployments for suspicious activity.
Evidence notes
CVE-2026-46374 has a CVSS score of 7.5 and is classified as HIGH severity. The vulnerability was published on 2026-06-09T23:16:59.313Z and modified on 2026-06-12T14:01:35.000Z.
Official resources
-
CVE-2026-46374 CVE record
CVE.org
-
CVE-2026-46374 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-46374 was published on 2026-06-09T23:16:59.313Z and modified on 2026-06-12T14:01:35.000Z.