How is CVE-2026-46373 exploited?

Network reachability (required): The attacker must reach the vulnerable service over the network; any internet- or intranet-exposed application that accepts SQL input for linting is in scope. Authentication (not-required): No credentials are needed; the attacker only needs the ability to submit a SQL query to the exposed endpoint. Victim interaction (not-required): The attack is fully automated and requires no action from a user or administrator to trigger the crash. Attack complexity (info): Exploitation is reliable and condition-free; crafting a deeply nested SQL query requires no special timing, memory layout knowledge, or environmental prerequisites.

What is the impact of CVE-2026-46373?

Crashes the process or service running SQLFluff, making linting and formatting unavailable until the service is restarted. Sustained or repeated submissions can keep the service continuously unavailable, effectively acting as a persistent denial of service against any pipeline or application that depends on SQLFluff. No confidentiality or data-integrity impact is associated with this vulnerability; the attacker cannot read or modify data through this exploit.

Back to search

HIGHCVE-2026-46373Published 2026-06-09Modified 2026-06-10CNA GitHub_M

CVE-2026-46373: SQLFluff: Recursive Stack Overflow in Parser

SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.1.0.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A recursive stack overflow vulnerability in SQLFluff's SQL parser allows an unauthenticated remote attacker to crash any application that passes untrusted SQL input to SQLFluff for linting or formatting. The attacker submits a specially crafted query with deliberately excessive nesting, causing the parser to exhaust stack resources. Successful exploitation results in a denial of service, taking the affected application or service offline. No fix version has been published upstream yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the sqlfluff package. Any image containing a sqlfluff version below 4.1.0 is flagged immediately.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and can weight that score against each customer environment's compliance policy to determine urgency and ownership. Triage findings are routed to the appropriate team inbox within each customer organization based on configured policy rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released upstream. In the interim, customers can apply compensating controls such as network-policy isolation to restrict which callers can submit SQL input to services backed by SQLFluff.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the vulnerable service over the network; any internet- or intranet-exposed application that accepts SQL input for linting is in scope.
AuthenticationNot required
No credentials are needed; the attacker only needs the ability to submit a SQL query to the exposed endpoint.
Victim interactionNot required
The attack is fully automated and requires no action from a user or administrator to trigger the crash.
Attack complexityDetail
Exploitation is reliable and condition-free; crafting a deeply nested SQL query requires no special timing, memory layout knowledge, or environmental prerequisites.

Blast Radius

Crashes the process or service running SQLFluff, making linting and formatting unavailable until the service is restarted.
Sustained or repeated submissions can keep the service continuously unavailable, effectively acting as a persistent denial of service against any pipeline or application that depends on SQLFluff.
No confidentiality or data-integrity impact is associated with this vulnerability; the attacker cannot read or modify data through this exploit.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active and matches against all images in connected registries and CI pipelines. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment sqlfluff 4.1.0 or a later fix version is released. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, with no manual intervention required. While waiting for an upstream patch, compensating controls worth considering include network-policy rules that restrict which callers can submit SQL to SQLFluff-backed services, egress filtering to limit lateral exposure, and feature-flag gating to disable untrusted-input linting endpoints in environments where that is operationally feasible.

See how HarborGuard automates this

Affected packages

sqlfluff / sqlfluff
< 4.1.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-wmhf-fqc8-vxhh

Metrics

Get notified