CVE-2026-42032
CRITICALCKAN: Unauthenticated Authorization Bypass in `datastore_search_sql`
Title source: cnaDescription
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to bypass authorization in order to gain access to private resources and PostgreSQL system information This vulnerability is fixed in 2.10.10 and 2.11.5.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/ckan/ckan/security/advisories/GHSA-cg4x-64p3-x59h
Scores
CVSS v3
9.1
EPSS
0.0002
EPSS Percentile
3.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (5)
ckan/ckan
< 2.10.10
ckan/ckan
>= 2.11.0, < 2.11.5
okfn/ckan
< 2.10.10
pypi/ckan
0 - 2.10.10PyPI
pypi/ckan
2.11.0 - 2.11.5PyPI
Published
May 13, 2026
Tracked Since
May 14, 2026