Description
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. Versions 2.3.4, 3.5.7, and 3.6.2 contain a patch. For those who are unable to upgrade immediately, Vendure has made a hotfix available that uses `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query. The hotfix replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.
Published: 2026-04-21
Score: 9.1 Critical
EPSS: 4.6% Low
KEV: No
Impact: SQL Injection leading to arbitrary SQL execution
Action: Immediate Patch
AI Analysis

Impact

Vendure, an open‑source headless commerce platform, contains an unauthenticated SQL injection flaw in its Shop API. The vulnerability arises from a user‑controlled query string parameter that is directly interpolated into a raw SQL expression without parameterization or validation. Because of this, an attacker can craft malicious input that will be executed against the database, enabling the execution of arbitrary SQL commands. This flaw is classified as CWE‑89 and can result in data theft, modification, or loss of database integrity.

Affected Systems

The vulnerable component is found in vendurehq's Vendure project. Versions starting at 1.7.4 and up to, but not including, 2.3.4, 3.5.7, and 3.6.2 are impacted. All database backends supported by the platform—PostgreSQL, MySQL/MariaDB, and SQLite—are affected. The Admin API is also exposed to the same issue, though it requires authentication to exploit. Upgraded releases 2.3.4, 3.5.7, and 3.6.2 contain the remediation.

Risk and Exploitability

The CVSS score for this vulnerability is 9.1, indicating a critical rating. EPSS is 5%, and the issue is not listed in the CISA KEV catalog. The most likely attack vector is unauthenticated remote access to the Shop API, where the attacker supplies a crafted query string. If authentication is present (Admin API), the attacker needs valid credentials. The remedy is straightforward: update to a patched version or apply the provided hotfix that validates the languageCode value before it reaches the raw SQL layer, thereby blocking injection payloads.

Generated by OpenCVE AI on April 22, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vendure to version 2.3.4 or newer (or 3.5.7/3.6.2 for supported branches).
  • If immediate upgrade is not possible, apply the hotfix that validates languageCode at the boundary by replacing RequestContextService.getLanguageCode.
  • Configure the application to restrict allowed language codes and enforce strict input validation to prevent malformed values.

Generated by OpenCVE AI on April 22, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9pp3-53p2-ww9v @vendure/core has a SQL Injection vulnerability
History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Vendure
Vendure vendure
Vendors & Products Vendure
Vendure vendure

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. Versions 2.3.4, 3.5.7, and 3.6.2 contain a patch. For those who are unable to upgrade immediately, Vendure has made a hotfix available that uses `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query. The hotfix replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.
Title @vendure/core has a SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Subscriptions

Vendure Vendure
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:41:11.124Z

Reserved: 2026-04-15T15:57:41.719Z

Link: CVE-2026-40887

cve-icon Vulnrichment

Updated: 2026-04-22T13:41:06.886Z

cve-icon NVD

Status : Received

Published: 2026-04-21T20:17:02.397

Modified: 2026-04-21T20:17:02.397

Link: CVE-2026-40887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:15:16Z

Weaknesses