How is CVE-2026-39196 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network; an attacker must be able to reach the service via a standard network connection to deliver a crafted request. Authentication (not-required): No credentials or prior account access are needed; the vulnerable parameter is reachable by unauthenticated requests. Victim interaction (not-required): Exploitation requires no action from any user or operator on the target system. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, special memory layout, or environmental factors are required.

What is the impact of CVE-2026-39196?

Reads sensitive database records, including any data stored in tables accessible to the database user used by Vector. Modifies or deletes persisted database rows by injecting write or destructive SQL statements. Crashes or degrades the affected Vector service by injecting statements that exhaust database resources or cause fatal errors. Potentially pivots to other data sources reachable through the same database connection depending on granted privileges.

Back to search

CRITICALCVE-2026-39196Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-39196: Datadog, Inc Vector v0

Datadog, Inc Vector v0.54.0 was discovered to contain a SQL injection vulnerability in the set_uri_query parameter in the KeyPartitioner::partition function. This vulnerability allows attackers to access sensitive database information via crafted SQL statements.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection vulnerability in Datadog Vector v0.54.0 affects the KeyPartitioner::partition function via the set_uri_query parameter. The vulnerability is reachable over the network with no authentication required and no user interaction needed, making it exploitable by any remote party that can reach the service. Successful exploitation gives an attacker read and write access to the underlying database and can disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment - the CVE is matched against customer images within minutes of publication, including custom-built images that bundle Vector v0.54.0. Matching runs continuously against images in customer registries and CI/CD pipelines so new image pushes are checked immediately.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.8 Critical and weighting it against each environment's compliance policy to determine urgency. Findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Datadog releases a corrected version of Vector. Customers with auto-remediation enabled will automatically receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as the fix becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to reach the service via a standard network connection to deliver a crafted request.
AuthenticationNot required
No credentials or prior account access are needed; the vulnerable parameter is reachable by unauthenticated requests.
Victim interactionNot required
Exploitation requires no action from any user or operator on the target system.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, special memory layout, or environmental factors are required.

Blast Radius

Reads sensitive database records, including any data stored in tables accessible to the database user used by Vector.
Modifies or deletes persisted database rows by injecting write or destructive SQL statements.
Crashes or degrades the affected Vector service by injecting statements that exhaust database resources or cause fatal errors.
Potentially pivots to other data sources reachable through the same database connection depending on granted privileges.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-39196 at this time, the platform monitors the Datadog advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads with no manual intervention required. In the interim, compensating controls worth considering include network-policy isolation to restrict which services can reach the Vector instance, egress filtering to limit outbound database connections to known-good destinations, and disabling or gating any feature that passes external input into the set_uri_query parameter. These mitigations do not resolve the underlying vulnerability but reduce the exposed attack surface until Datadog ships a patch.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

gist.github.com

Metrics

Get notified