CVE-2026-44635

Name of the Vulnerable Software and Affected Versions Kysely versions prior to 0.28.16

Description Improper input handling in the JSON-path compiler allows attackers to access sensitive JSON data. The software fails to escape JSON-path metacharacters such as ., [, ], *, **, and ?, only doubling single quotes. When attacker-controlled input is passed to the key() or at() functions—including in type-safe code where columns are defined as Record<string, T>—attackers can use dots as path-leg separators to traverse into sibling and child fields outside the intended scope. This results in unauthorized read access and, in update statements, unauthorized write access to JSON sub-fields across MySQL, PostgreSQL (using ->$ or ->>$ operators), and SQLite. On MySQL and PostgreSQL, the use of * or ** wildcards can be used to enumerate all values at a specific depth or recurse through the entire document.

Recommendations As a temporary workaround, avoid using the key() or at() functions with attacker-controlled input in the affected API endpoints until a patch is available. Restrict the input passed to key() and at() to a known-good character set, rejecting any strings containing JSON-path metacharacters.