Description

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.

INFO

Published Date :

2026-04-21T20:05:51.819Z

Last Modified :

2026-04-22T13:47:15.546Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40906 vulnerability.

Vendors Products
Electric-sql
  • Electric
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40906.

URL Resource
https://github.com/electric-sql/electric/pull/4081 cve-icon cve-icon cve-icon
https://github.com/electric-sql/electric/security/advisories/GHSA-h5rg-pxx7-r2hj cve-icon cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-40906 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-40906 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact