CVE-2026-41478

CVE-2026-41478 is a critical-severity SQL injection vulnerability in @saltcorn/server (npm), affecting versions < 1.4.6. It is fixed in 1.4.6, 1.5.6, 1.6.0-beta.5.

Summary

A critical SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend.

Details

The issue affects the mobile-sync endpoints:

  • POST /sync/load_changes
  • POST /sync/deletes

According to the provided analysis, user-controlled values from the request body are interpolated directly into SQL template literals without parameterization, type enforcement, or sanitization. In particular, req.body.syncInfos[tableName].maxLoadedId is embedded into SQL in getSyncRows() and timestamp-derived values are similarly interpolated in getDelRows().

Relevant vulnerable code paths include:

  • packages/server/routes/sync.js, getSyncRows()
    • branch using where data_tbl."${db.sqlsanitize(pkName)}" > ${syncInfo.maxLoadedId}
    • branch using and info_tbl.ref > ${syncInfo.maxLoadedId}
  • packages/server/routes/sync.js, getDelRows()
    • timestamp expressions built from request-controlled values and inserted into SQL
  • packages/server/routes/sync.js, /load_changes route handler
    • request body fields are passed into the SQL-building functions without validation or safe binding

The root cause is that values are treated as trusted SQL fragments rather than bound parameters. While db.sqlsanitize() is used for identifiers elsewhere, that does not protect interpolated values and is not intended to prevent value-based SQL injection. The report notes there is no parseInt(), numeric validation, or prepared-statement binding before these values are concatenated into the query string.

This means a normal authenticated user can escape the intended query logic and execute arbitrary SQL in the context of the application database. The provided evidence demonstrates successful extraction of user records and schema information through the vulnerable sync route, confirming that the injection is practically exploitable.

PoC

Based on the provided report, the issue can be reproduced by authenticating as a normal user, sending a crafted request to the affected sync endpoint, and placing a malicious SQL expression into the sync metadata field that is later interpolated into the backend query. Successful exploitation returns attacker-selected database contents in the sync response.

Impact

  • Type: SQL injection
  • Who is impacted: Any Saltcorn deployment exposing the affected mobile-sync routes to authenticated users
  • Security impact: An authenticated low-privilege user may exfiltrate the full database, including password hashes, configuration secrets, application data, and schema information; on some backends, the same flaw may also permit writes, schema changes, or destructive operations
  • Attack preconditions: The attacker needs a valid authenticated account with access to at least one readable table through the sync feature
  • Privilege impact: The issue allows escalation from normal user access to database-wide compromise

Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access. Typical impact: data disclosure or modification.

CVE-2026-41478 has a CVSS score of 9.9 (Critical). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.4.6, 1.5.6, 1.6.0-beta.5); upgrading removes the vulnerable code path.

Affected versions

@saltcorn/server (< 1.4.6) @saltcorn/server (>= 1.5.0-beta.0, < 1.5.6) @saltcorn/server (>= 1.6.0-alpha.0, < 1.6.0-beta.5)

Security releases

@saltcorn/server → 1.4.6 (npm) @saltcorn/server → 1.5.6 (npm) @saltcorn/server → 1.6.0-beta.5 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

@saltcorn/server to 1.4.6 or later; @saltcorn/server to 1.5.6 or later; @saltcorn/server to 1.6.0-beta.5 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-41478? CVE-2026-41478 is a critical-severity SQL injection vulnerability in @saltcorn/server (npm), affecting versions < 1.4.6. It is fixed in 1.4.6, 1.5.6, 1.6.0-beta.5. Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access.
  2. How severe is CVE-2026-41478? CVE-2026-41478 has a CVSS score of 9.9 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of @saltcorn/server are affected by CVE-2026-41478? @saltcorn/server (npm) versions < 1.4.6 is affected.
  4. Is there a fix for CVE-2026-41478? Yes. CVE-2026-41478 is fixed in 1.4.6, 1.5.6, 1.6.0-beta.5. Upgrade to this version or later.
  5. Is CVE-2026-41478 exploitable, and should I be worried? Whether CVE-2026-41478 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-41478 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-41478?
    • Upgrade @saltcorn/server to 1.4.6 or later
    • Upgrade @saltcorn/server to 1.5.6 or later
    • Upgrade @saltcorn/server to 1.6.0-beta.5 or later

Other vulnerabilities in @saltcorn/server

CVE-2026-42259CVE-2026-41478CVE-2026-40163CVE-2024-47818

Stop the waste.
Protect your environment with Kodem.