Description
Datadog, Inc Vector v0.54.0 was discovered to contain a SQL injection vulnerability in the set_uri_query parameter in the KeyPartitioner::partition function. This vulnerability allows attackers to access sensitive database information via crafted SQL statements.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection flaw exists in the set_uri_query parameter used by the KeyPartitioner::partition function in Datadog Vector 0.54.0. An attacker can inject crafted SQL statements that read sensitive information from the database, potentially exposing confidential data. The weakness is a classic input validation failure (CWE-89).

Affected Systems

The vulnerable component is Datadog Vector, version 0.54.0, released by Datadog, Inc. No other affected versions or products are listed in the advisory.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical level of risk. The EPSS score of <1% suggests that exploitation attempts are currently rare, and the vulnerability is not yet listed in CISA KEV. The likely attack vector is through the API that accepts the set_uri_query parameter; an attacker would need network access to the host running the vulnerable service. Given the high severity, organizations should treat this as a high priority even though current exploitation probability is low.

Generated by OpenCVE AI on June 17, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Datadog Vector to a patched release that removes the SQL injection flaw in the KeyPartitioner::partition function.
  • If an immediate upgrade is not possible, implement strict input validation or parameterization for the set_uri_query parameter, ensuring only whitelisted values are accepted.
  • Restrict external access to the API endpoint that processes set_uri_query, limiting it to trusted networks or applying firewall rules.
  • Monitor application logs for anomalous SQL patterns and block suspicious requests with defense‑in‑depth controls.

Generated by OpenCVE AI on June 17, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Datadoghq
Datadoghq vector
Vendors & Products Datadoghq
Datadoghq vector

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in Datadog Vector Set URI Query Parameter Exposes Sensitive Data

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in Datadog Vector Set URI Query Parameter Exposes Sensitive Data

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Datadog, Inc Vector v0.54.0 was discovered to contain a SQL injection vulnerability in the set_uri_query parameter in the KeyPartitioner::partition function. This vulnerability allows attackers to access sensitive database information via crafted SQL statements.
References

Subscriptions

Datadoghq Vector
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T13:45:36.459Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-39196

cve-icon Vulnrichment

Updated: 2026-06-16T13:45:13.315Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:27.567

Modified: 2026-06-16T15:50:58.757

Link: CVE-2026-39196

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T09:35:57Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')