PYSEC-2026-2417

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/ckan/PYSEC-2026-2417.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2417
Aliases
Published
2026-07-13T15:02:55.439373Z
Modified
2026-07-13T16:31:32.602029722Z
Severity
  • 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
CKAN has Unauthenticated SQL Injection and Authorization Bypass in `datastore_search_sql`
Details

Impact

A vulnerability in datastore_search_sql allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information.

Patches

The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5

Workarounds

Disable the DataStore SQL search (ckan.datastore.sqlsearch.enabled = false). Note that the SQL search is disabled by default.

More information

As stated in the documentation, this action function has protections that offer some safety but are not designed to prevent all types of abuse. Depending on the sensitivity of private data in a project's DataStore and the likelihood of abuse of a consuming site, a developer may choose to disable this action function or restrict its use with a IAuthFunctions plugin.

Credits

  • Reported by Arvin Shivram of Brutecat Security
References

Affected packages

PyPI / ckan

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.10.10
Introduced
2.11.0
Fixed
2.11.5

Affected versions

0.*
0.3
0.4
0.5
0.6
0.7
0.8
0.11
1.*
1.0
1.1
1.2
1.3
1.3.2
1.3.3
1.4
1.4.1
1.4.2
1.4.3
1.4.3.1
1.5
1.5.1
1.6
1.7
1.7.1
1.8
2.*
2.0
2.0.1
2.0.7
2.0.8
2.1
2.1.1
2.1.5
2.1.6
2.2
2.2.1
2.2.3
2.2.4
2.3
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.8
2.4.9
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.6
2.5.7
2.5.8
2.5.9
2.6.0
2.6.1
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.11
2.8.12
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.9.10
2.9.11
2.10.0
2.10.1
2.10.3
2.10.4
2.10.5
2.10.6
2.10.7
2.10.8
2.10.9
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/ckan/PYSEC-2026-2417.yaml"