CVE-2026-42031
EPSS 13.8%CKAN has Unauthenticated SQL Injection and Authorization Bypass in `datastore_search_sql`
Description
### Impact A vulnerability in `datastore_search_sql` allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information. ### Patches The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5 ### Workarounds Disable the DataStore SQL search (`ckan.datastore.sqlsearch.enabled = false`). Note that the SQL search is disabled by default. ### More information As stated in the [documentation](https://docs.ckan.org/en/2.11/maintaining/configuration.html#ckan-datastore-sqlsearch-enabled), this action function has protections that offer some safety but are not designed to prevent all types of abuse. Depending on the sensitivity of private data in a project's DataStore and the likelihood of abuse of a consuming site, a developer may choose to disable this action function or restrict its use with a [`IAuthFunctions`](https://docs.ckan.org/en/2.11/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IAuthFunctions) plugin. ### Credits * Reported by Arvin Shivram of Brutecat Security
Affected packages (1)
- PyPI/ckanfrom 0, < 2.10.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-42031
- PATCHhttps://github.com/ckan/ckan
- WEBhttps://docs.ckan.org/en/2.10/changelog.html#v-2-10-10-2026-04-29
- WEBhttps://docs.ckan.org/en/2.11/changelog.html#v-2-11-5-2026-04-29
- WEBhttps://docs.ckan.org/en/2.11/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IAuthFunctions
- WEBhttps://docs.ckan.org/en/2.11/maintaining/configuration.html#ckan-datastore-sqlsearch-enabled
- WEBhttps://github.com/ckan/ckan/security/advisories/GHSA-h7j7-3rx6-xvcg