How is CVE-2026-45288 exploited?

Network reachability (required): The attacker must be able to reach the service over the network; no local access or special network position is needed. Authentication (not-required): No credentials or session token of any kind are required to trigger the injection. Victim interaction (not-required): The attacker acts entirely on their own; no user needs to click a link or take any action. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or environmental setup.

What is the impact of CVE-2026-45288?

A successful attacker reads arbitrary data from the PostgreSQL database, including stored documents, event streams, session tokens, and any other persisted records. The attacker writes or modifies rows in the database, including forging documents, altering event history, or escalating their own privileges within the application. The attacker can crash or degrade the database service, causing a denial of service for all application workloads that depend on it. Depending on PostgreSQL server configuration, the attacker may be able to invoke server-side functions or access the host filesystem through the database engine.

Back to search

CRITICALCVE-2026-45288Published 2026-05-28Modified 2026-05-30CNA GitHub_M

CVE-2026-45288: Marten has an SQL injection vulnerability in its full-text search regConfig parameter

Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to untrusted input a SQL injection sink. This vulnerability is fixed in 8.36.1.

HarborGuard Analysis

HarborGuard analysis

Synopsis

SQL injection in Marten, a .NET document database and event store library built on PostgreSQL, allows an unauthenticated attacker to reach the vulnerability over the network without any prior access. The flaw exists because the regConfig parameter in Marten's full-text search APIs is interpolated directly into generated SQL without parameterization or sanitization, giving an attacker full read, write, and denial-of-service capability against the underlying PostgreSQL database. A patched rebuild at version 8.36.1 is available on HarborGuard for any environment running an affected version of Marten.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Marten as a dependency. Any image containing a Marten version below 8.36.1 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.8 Critical and weighting it against each environment's compliance policy to determine urgency. Routing to the appropriate team inbox within each customer organization is available as part of the standard triage pipeline.

Available

Patch

A patched-image rebuild pinned to Marten 8.36.1 becomes available on HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard is capable of triggering the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the service over the network; no local access or special network position is needed.
AuthenticationNot required
No credentials or session token of any kind are required to trigger the injection.
Victim interactionNot required
The attacker acts entirely on their own; no user needs to click a link or take any action.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or environmental setup.

Blast Radius

A successful attacker reads arbitrary data from the PostgreSQL database, including stored documents, event streams, session tokens, and any other persisted records.
The attacker writes or modifies rows in the database, including forging documents, altering event history, or escalating their own privileges within the application.
The attacker can crash or degrade the database service, causing a denial of service for all application workloads that depend on it.
Depending on PostgreSQL server configuration, the attacker may be able to invoke server-side functions or access the host filesystem through the database engine.

How HarborGuard Handles This

Available on HarborGuard: detection of any image containing Marten below version 8.36.1 is active as of CVE publication, with ingestion latency measured in minutes. Because a fix version (8.36.1) exists upstream, a patched-image rebuild is available for every affected environment. For customers with auto-remediation enabled, HarborGuard is capable of rebuilding the image at the patched version, running a regression test run, and opening a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is queued in the customer's triage inbox with the CVSS 9.8 Critical score and upgrade path clearly noted. Given the no-authentication, over-the-network exploit path, teams that cannot patch immediately should consider network-policy isolation to restrict which clients can reach the Marten-backed service, and egress filtering to limit lateral movement if the database is compromised.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

JasperFx / marten
< 8.36.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References