CVE-2026-46374

Source
https://cve.org/CVERecord?id=CVE-2026-46374
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46374.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46374
Aliases
Downstream
Published
2026-06-09T22:40:40.265Z
Modified
2026-07-08T08:13:48.332214358Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
SQLFluff: Uncontrolled Resource Consumption in Parser
Details

SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.2.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46374.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-400"
    ]
}
References

Affected packages

Git / github.com/sqlfluff/sqlfluff

Affected ranges

Type
GIT
Repo
https://github.com/sqlfluff/sqlfluff
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:sqlfluff:sqlfluff:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.2.0"
        }
    ]
}

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.6
0.0.7
0.1.0
0.1.4
0.1.5
0.10.0
0.10.1
0.11.0
0.11.1
0.11.2
0.12.0
0.13.0
0.13.1
0.13.2
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.4.0
0.4.0a1
0.4.0a2
0.4.0a3
0.4.1
0.5.4
0.5.5
0.5.6
0.6.0
0.6.0a1
0.6.0a2
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.7.0
0.7.0a1
0.7.0a2
0.7.0a5
0.7.0a6
0.7.0a7
0.7.0a8
0.7.1
0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
1.*
1.0.0
1.1.0
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
2.*
2.0.0
2.0.0a1
2.0.0a2
2.0.0a3
2.0.0a4
2.0.0a5
2.0.0a6
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
3.*
3.0.0
3.0.0a1
3.0.0a2
3.0.0a3
3.0.0a4
3.0.0a5
3.0.0a6
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.1.0
3.1.1
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.3.0
3.3.1
3.4.0
3.4.1
3.4.2
3.5.0
4.*
4.0.0
4.0.0a1
4.0.0a2
4.0.0a3
4.0.1
4.0.1.post1
4.0.2
4.0.3
4.0.4
4.0.4a1
4.1.0
Other
untagged-0ddecca233f58d1186e1
untagged-1900b8efc1b9d793637f
untagged-eb9d263623ead02fd9ca

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46374.json"