CVE-2026-44635

Source
https://cve.org/CVERecord?id=CVE-2026-44635
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44635.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44635
Aliases
Downstream
Published
2026-05-27T18:21:57.026Z
Modified
2026-07-08T08:13:27.915549435Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`
Details

Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters (., [, ], *, **, ?). When attacker-controlled input flows into eb.ref(col, '->$').key(input) or .at(input) — including type-safe code where the JSON column is shaped like Record<string, T> so K extends string is the inferred type — every dot becomes a path-leg separator, letting an attacker traverse from the intended key into sibling and child fields the developer never meant to expose. The result is read access (and, in update statements, write access) to JSON sub-fields outside the intended scope across MySQL, PostgreSQL ->$/->>$, and SQLite. This vulnerability is fixed in 0.28.17.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44635.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1284",
        "CWE-22",
        "CWE-89",
        "CWE-915"
    ]
}
References

Affected packages

Git / github.com/kysely-org/kysely

Affected ranges

Type
GIT
Repo
https://github.com/kysely-org/kysely
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0.26.0"
        },
        {
            "fixed": "0.28.17"
        }
    ]
}

Affected versions

0.*
0.26.0
0.26.1
0.26.2
0.26.3
0.27.0
0.27.1
0.27.2
0.27.3
0.27.4
0.27.5
0.27.6
0.28.0
0.28.1
0.28.2
v0.*
v0.28.10
v0.28.11
v0.28.12
v0.28.13
v0.28.14
v0.28.15
v0.28.16
v0.28.3
v0.28.4
v0.28.5
v0.28.6
v0.28.7
v0.28.8
v0.28.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44635.json"