Description
PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users. Depending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted. Only queries that gate synchronization using subqueries without partitioning the result set are affected. This vulnerability is fixed in 1.20.1.
Published: 2026-03-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data exposure
Action: Patch
AI Analysis

Impact

In PowerSync Service version 1.20.0, the sync engine incorrectly ignores certain subquery filters when a sync stream is configured with config.edition:3. This flaw allows an authenticated user to receive data that should have been excluded by those filters, effectively bypassing intended data access controls. The consequence is that sensitive data can be exposed to unintended users, violating confidentiality.

Affected Systems

Affected components include @powersync:service-core, @powersync:service-sync-rules, and powersync-ja:powersync-service. The vulnerability exists only in version 1.20.0 and is fixed in 1.20.1. No other versions were reported to be affected.

Risk and Exploitability

The CVSS base score is 6.5, indicating a medium severity vulnerability that directly impacts the confidentiality of user data. EPSS indicates a very low exploitation probability (<1%). The flaw is not listed in CISA's KEV catalog and no specific exploitation tools are publicly known. The most likely attack vector requires the attacker to have legitimate credentials and to configure or modify a sync stream with config.edition:3 that includes unpartitioned subqueries. Once the vector is enabled, the attacker can trigger the sync and retrieve data beyond their authorized scope.

Generated by OpenCVE AI on April 16, 2026 at 10:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PowerSync Service to version 1.20.1 or later to apply the vendor fix.
  • Review and modify any existing config.edition:3 sync streams to ensure that subquery filters are not ignored, for example by partitioning the result set or removing the affected subqueries.
  • Audit current sync stream configurations to confirm that no unauthorized data paths remain, and enforce least privilege for data synchronization.
  • Monitor logs for any unauthorized sync activity and verify that discrepancies are addressed promptly.

Generated by OpenCVE AI on April 16, 2026 at 10:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q6wc-xx4m-92fj PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3`
History

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Powersync-ja
Powersync-ja powersync-service
Powersync-ja powersync-service-sync-rules
Vendors & Products Powersync-ja
Powersync-ja powersync-service
Powersync-ja powersync-service-sync-rules

Mon, 09 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users. Depending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted. Only queries that gate synchronization using subqueries without partitioning the result set are affected. This vulnerability is fixed in 1.20.1.
Title Some sync filters in PowerSync Service ignored using `config.edition: 3`
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Powersync-ja Powersync-service Powersync-service-sync-rules
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:14:17.271Z

Reserved: 2026-03-06T00:04:56.698Z

Link: CVE-2026-30870

cve-icon Vulnrichment

Updated: 2026-03-10T14:14:13.704Z

cve-icon NVD

Status : Deferred

Published: 2026-03-10T17:40:14.530

Modified: 2026-04-16T14:45:19.723

Link: CVE-2026-30870

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses