HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46374Published Modified CNA GitHub_M

CVE-2026-46374: SQLFluff: Uncontrolled Resource Consumption in Parser

SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.2.0.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Uncontrolled resource consumption in SQLFluff's SQL parser allows an unauthenticated remote attacker to exhaust system resources by submitting a specially crafted long SQL query. The vulnerability is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable in any deployment that accepts SQL input from untrusted users. Successful exploitation crashes or severely degrades the linting service, resulting in a denial of service. A patched-image rebuild at version 4.2.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46374 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle the sqlfluff package. Any image containing sqlfluff below version 4.2.0 is flagged automatically in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 7.5 (HIGH) and surfaces it with that severity weighting in each customer's compliance policy context, escalating alerts where the policy sensitivity threshold for network-reachable denial-of-service issues requires faster response. Triage results are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild based on sqlfluff 4.2.0 is available on HarborGuard for any environment where the affected version is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The parser must be reachable over the network; any deployment that accepts SQL queries from external or untrusted clients is directly exposed.

  • AuthenticationNot required

    No credentials or session token are needed; the attacker submits a malicious query as an anonymous request.

  • Victim interactionNot required

    The attack is fully automated and requires no action from an administrator or end user to trigger resource exhaustion.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker only needs to send a sufficiently long SQL query and no special timing or environmental setup is required.

Blast Radius

  • Exhausts CPU or memory on the host running the SQLFluff parser, causing the linting or formatting service to become unresponsive or crash.
  • Downstream CI pipelines or API endpoints that depend on SQLFluff for query validation are blocked, halting automated workflows until the process is restarted.
  • Persistent or repeated submissions can keep the service unavailable, effectively turning a single malicious query into a sustained outage.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46374 is active the moment the advisory is ingested, matching against all images in customer registries and pipelines that carry sqlfluff below version 4.2.0. Because a fix exists at version 4.2.0, a patched-image rebuild is available immediately for affected environments. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression test run against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy or organizational workflow requires manual approval before merge, the PR is still created and queued for review. For environments where upgrading is temporarily blocked, compensating controls worth considering include network-policy rules that restrict which callers can submit SQL input to the linting service, request-size limits at the API gateway or load balancer to cap maximum query length, and feature-flag gating to disable the linting endpoint for untrusted user tiers until the patched image is rolled out.

See how HarborGuard automates this
Affected packages
  • sqlfluff / sqlfluff
    < 4.2.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References