CVE-2026-41422
Daptin: SQL injection via unvalidated goqu.L() calls in aggregate API
Description
## Summary The `/aggregate/:typename` endpoint accepted `column` and `group` query parameters that were passed verbatim to `goqu.L()` — a raw SQL literal expression builder — without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions. ## Impact An authenticated low-privilege user could: - Extract data from any table via subquery: `(SELECT group_concat(email) FROM user_account) as leak` - Disclose database internals: `sqlite_version()`, `(SELECT sql FROM sqlite_master)` - Exfiltrate cross-table data via correlated subqueries The vulnerability was confirmed locally; `user_account.email` values were extracted via a crafted `column` parameter by a non-admin user. ## Root Cause `goqu.L(userInput)` in `server/resource/resource_aggregate.go` inserted user-supplied query parameters directly into the SQL string with no validation. ## Fix (v0.11.4) All `goqu.L()` calls on user-controlled input were eliminated and replaced with: - Structural expression parsing supporting all documented API forms - Schema-based column validation (column names checked against entity schema via `TableInfo().GetColumnByName()`) - Exact-match allowlist for aggregate functions (`count`, `sum`, `avg`, `min`, `max`, `first`, `last`) and scalar functions (`date`, `strftime`, `upper`, `lower`, etc.) - Safe goqu constructors (`goqu.I()`, `goqu.SUM()`, `goqu.Func()`) for all generated expressions - `allowedTables` scope enforcement: qualified column refs (`table.col`) validated against root entity + explicitly joined tables only Two additional DoS bugs were fixed in the same commit: `uuid.MustParse` panic on malformed UUID input and an index-out-of-range panic in `ToOrderedExpressionArray` on empty sort expressions. ## Credits Reported by @VashuVats.
How to fix CVE-2026-41422
To remediate CVE-2026-41422, upgrade the affected package to a fixed version below.
- —upgrade to 0.11.4 or later
Is CVE-2026-41422 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.