PT-2026-42042 · Pypi · Sqlfluff
Published
2026-05-19
·
Updated
2026-05-19
·
CVE-2026-46373
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Impact
In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion.
Patches
Versions 4.1.0 and up contain a configurable recursion limit, which is enabled by default, to prevent this manner of exploit.
Credit
Ori Nakar from Imperva Threat Research Team.
Fix
Uncontrolled Recursion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sqlfluff