CVE-2026-30870

Name of the Vulnerable Software and Affected Versions PowerSync versions prior to 1.20.1

Description The PowerSync Service, a server-side component of the PowerSync sync engine, had an issue in version 1.20.0 where subquery filters were ignored when determining data synchronization for users with new sync streams and config.edition: 3. This could allow authenticated users to access data they should not have been able to sync. Only queries that use subqueries without partitioning the result set were affected. The issue did not impact sync rules, sync streams using config.edition: 2, or scenarios where authentication was not used. Affected queries included those that determine table synchronization based on subqueries, such as selecting data only for admin users or authorized users. Examples of vulnerable queries include those using auth.user id() and auth.parameter() within subqueries to filter data.

Recommendations Update PowerSync to version 1.20.1 or later. Restart the service after updating.