CVE-2026-42031

CRITICAL NUCLEI

CKAN: Unauthenticated SQL Injection and Authorization Bypass in `datastore_search_sql`

Title source: cna

Exploitation Summary

CVE-2026-42031 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information This vulnerability is fixed in 2.10.10 and 2.11.5.

Nuclei Templates (1)

CKAN DataStore SQL Search - SQL Injection

HIGHVERIFIEDby theamanrawat

Shodan: http.title:"CKAN"

FOFA: title="CKAN"

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/ckan/ckan/security/advisories/GHSA-h7j7-3rx6-xvcg

Scores

CVSS v3 9.8

EPSS 0.1378

EPSS Percentile 94.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-89

Status published

Products (5)

ckan/ckan < 2.10.10

ckan/ckan >= 2.11.0, < 2.11.5

okfn/ckan < 2.10.10

pypi/ckan 0 - 2.10.10PyPI

pypi/ckan 2.11.0 - 2.11.5PyPI

Published May 13, 2026

Tracked Since May 14, 2026