PT-2026-36110 · Ckan · Ckan

Published

2026-04-29

Updated

2026-05-13

CVE-2026-42031

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions CKAN versions prior to 2.10.10 CKAN versions prior to 2.11.5

Description A SQL injection flaw exists in the datastore search sql function. This allows attackers to inject SQL commands to gain unauthorized access to private resources and PostgreSQL system information.

Recommendations Update to version 2.10.10. Update to version 2.11.5. As a temporary workaround, disable the DataStore SQL search by setting ckan.datastore.sqlsearch.enabled = false. Restrict the use of the datastore search sql function using an IAuthFunctions plugin.

Fix

Incorrect Authorization

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-89

Related Identifiers

CVE-2026-42031

GHSA-H7J7-3RX6-XVCG

Affected Products

Ckan

PT-2026-36110 · Ckan · Ckan

CVE-2026-42031

Weakness Enumeration

Related Identifiers

Affected Products

References · 12