CVE-2026-40906
CRITICALElectric: SQL Injection via ORDER BY Parameter in Shape API
Title source: cnaDescription
Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj
X_Refsource_Misc x_refsource_misc
https://github.com/electric-sql/electric/pull/4081
Scores
CVSS v3
9.9
EPSS
0.0040
EPSS Percentile
32.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (2)
electric/sync-service
1.1.12 - 1.5.0
electric-sql/electric
>= 1.1.12, < 1.5.0
Published
Apr 21, 2026
Tracked Since
Apr 22, 2026