How is CVE-2026-49498 exploited?

Network reachability (required): The attacker must reach the Ghidra server over the network to deliver a crafted PasswordChange message. Authentication (required): Any low-privilege authenticated account is sufficient; no administrative credentials are needed to trigger the injection. Victim interaction (not-required): The attack is fully server-side and requires no action from another user. Attack complexity (info): Exploit is reliable and condition-free; no race conditions or specific memory layout are required.

What is the impact of CVE-2026-49498?

Attacker escalates the database role to PostgreSQL superuser, gaining unrestricted control over all databases on the instance. Attacker reads all stored data, including credentials, analysis results, and any other records held in the Ghidra PostgreSQL backend. Attacker modifies or deletes persisted database rows, corrupting analysis data or covering tracks. Attacker crashes or degrades the database service, making the Ghidra collaborative environment unavailable.

Back to search

HIGHCVE-2026-49498Published 2026-06-10Modified 2026-06-10CNA VulnCheck

CVE-2026-49498: Ghidra 11.0 < 12.1 - SQL Injection in PostgreSQL Password Change via Unescaped Username

Q: What is CVE-2026-49498?

SQL injection in Ghidra's PostgresFunctionDatabase component affects versions 11.0 through 12.1. An authenticated attacker reachable over the network can send a crafted PasswordChange message with a malicious username to inject arbitrary SQL into an ALTER ROLE statement. Successful exploitation gives the attacker full PostgreSQL superuser privileges and complete database control. A patched-image rebuild at version 12.1 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-49498 fixed?

A patched-image rebuild targeting Ghidra 12.1 is available on HarborGuard for any environment found running an affected version. For customers with auto-remediation enabled, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments.

Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in PasswordChange network messages to escalate to PostgreSQL superuser privileges and gain full database control.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 12.1
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection in Ghidra's PostgresFunctionDatabase component affects versions 11.0 through 12.1. An authenticated attacker reachable over the network can send a crafted PasswordChange message with a malicious username to inject arbitrary SQL into an ALTER ROLE statement. Successful exploitation gives the attacker full PostgreSQL superuser privileges and complete database control. A patched-image rebuild at version 12.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-49498 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that package Ghidra. Coverage applies to both base-image layers and application-layer packages.

Available

Triage

HarborGuard scores this finding at CVSS 8.7 (HIGH) based on the published v4.0 vector, and per-environment compliance policy weighting is available to adjust priority routing. Findings are routed to the appropriate team inbox within each customer organization based on the image owner and configured escalation rules.

Available

Patch

A patched-image rebuild targeting Ghidra 12.1 is available on HarborGuard for any environment found running an affected version. For customers with auto-remediation enabled, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Ghidra server over the network to deliver a crafted PasswordChange message.
AuthenticationRequired
Any low-privilege authenticated account is sufficient; no administrative credentials are needed to trigger the injection.
Victim interactionNot required
The attack is fully server-side and requires no action from another user.
Attack complexityDetail
Exploit is reliable and condition-free; no race conditions or specific memory layout are required.

Blast Radius

Attacker escalates the database role to PostgreSQL superuser, gaining unrestricted control over all databases on the instance.
Attacker reads all stored data, including credentials, analysis results, and any other records held in the Ghidra PostgreSQL backend.
Attacker modifies or deletes persisted database rows, corrupting analysis data or covering tracks.
Attacker crashes or degrades the database service, making the Ghidra collaborative environment unavailable.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image found packaging Ghidra 11.0 through a pre-12.1 build. For environments with auto-remediation enabled, a rebuild against the 12.1 fix is triggered automatically; the flow includes a regression test run and a PR opened against affected workloads, with a median time from publication to merged patch PR of around 90 minutes for high-severity findings. Where compliance policy requires manual approval before merging, the PR is still created and routed to the designated approver inbox. As a compensating control while remediation is in progress, customers can apply network policy to restrict access to the Ghidra server port to known trusted clients only, reducing the pool of accounts that can submit PasswordChange messages.

See how HarborGuard automates this

Fix available

12.1

Affected packages

nationalsecurityagency / ghidra
< 12.1 (from 11.0)
Fixed in 12.1

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available