Moderaterkistner

**Name of the Vulnerable Software and Affected Versions** PowerSync versions prior to 1.20.1 **Description** The PowerSync Service, a server-side component of the PowerSync sync engine, had an issue in version 1.20.0 where subquery filters were ignored when determining data synchronization for users with new sync streams and `config.edition: 3`. This could allow authenticated users to access data they should not have been able to sync. Only queries that use subqueries without partitioning the result set were affected. The issue did not impact sync rules, sync streams using `config.edition: 2`, or scenarios where authentication was not used. Affected queries included those that determine table synchronization based on subqueries, such as selecting data only for admin users or authorized users. Examples of vulnerable queries include those using `auth.user id()` and `auth.parameter()` within subqueries to filter data. **Recommendations** Update PowerSync to version 1.20.1 or later. Restart the service after updating.