Description
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
Published: 2026-04-17
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

Firebird versions earlier than 5.0.4, 4.0.7, and 3.0.14 allow an authenticated user with CREATE FUNCTION privileges to craft an ENGINE name that is concatenated into a filesystem path without filtering path separators or .. components. This path traversal bug enables the attacker to load an arbitrary shared library from any location on the host. When the library is loaded, its initialization code runs immediately, before Firebird performs any module validation, resulting in code execution under the server’s operating‑system account. The vulnerability is classified under CWE‑22, CWE‑427, CWE‑73 and CWE‑94, and carries a CVSS score of 10.

Affected Systems

FirebirdSQL: firebird in versions prior to 5.0.4, 4.0.7 and 3.0.14 are affected. The issue is fixed in the indicated release versions.

Risk and Exploitability

The CVSS score of 10 indicates a very high severity and a low attack complexity; an attacker who can authenticate and has CREATE FUNCTION rights can exploit the flaw by creating a malicious shared library. The EPSS score is not available, but the lack of a defensive check and the high CVSS score suggest that exploitation is likely should an attacker obtain the necessary privileges. The flaw is not listed in the CISA KEV catalog, yet the exploitation potential makes it a critical risk for any environment running the affected Firebird releases.

Generated by OpenCVE AI on April 18, 2026 at 17:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firebird to a fixed release (5.0.4, 4.0.7, or 3.0.14, depending on your version).
  • Revoke or limit CREATE FUNCTION privileges so that only trusted accounts can create functions, preventing the misuse of the vulnerable engine loader.
  • Enable or review Firebird log settings and file–system monitoring to detect unexpected shared library loading or plugin directory modifications, ensuring early detection of potential exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 17:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Firebirdsql
Firebirdsql firebird
Vendors & Products Firebirdsql
Firebirdsql firebird

Fri, 17 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
Title Firebird: Path Traversal + Arbitrary File Write Leads to Remote Code Execution
Weaknesses CWE-22
CWE-427
CWE-73
CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Firebirdsql Firebird
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T19:22:46.644Z

Reserved: 2026-04-10T22:50:01.358Z

Link: CVE-2026-40342

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-17T20:16:35.930

Modified: 2026-04-17T20:16:35.930

Link: CVE-2026-40342

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:15:05Z

Weaknesses