Description
Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.
Published: 2026-04-21
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Full database compromise via SQL injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the order_by parameter of the ElectricSQL /v1/shape API and permits error‑based SQL injection, allowing any authenticated user to execute arbitrary SQL against the underlying PostgreSQL database. This flaw makes it possible to read, modify, and delete all database contents, effectively giving full control over the database. The weakness is a classic SQL injection (CWE‑89).

Affected Systems

Electric PostgreSQL sync engine versions from 1.1.12 up to, but not including, 1.5.0 are affected.

Risk and Exploitability

The CVSS score is 10, reflecting the catastrophic impact. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Attackers need authenticated access to the /v1/shape endpoint; once authenticated, they can craft ORDER BY expressions to trigger the injection, read or modify any table, and even delete data.

Generated by OpenCVE AI on April 22, 2026 at 06:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Electric to version 1.5.0 or later where the vulnerability is fixed
  • Restrict authenticated access to the /v1/shape endpoint to the minimum required roles and monitor logs for anomalous ORDER BY expressions
  • If immediate upgrade is not feasible, temporarily block or remove the ORDER BY parameter from API calls and validate input against a whitelist

Generated by OpenCVE AI on April 22, 2026 at 06:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Electric-sql
Electric-sql electric
Vendors & Products Electric-sql
Electric-sql electric
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.
Title Electric: SQL Injection via ORDER BY Parameter in Shape API
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Electric-sql Electric
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:47:15.546Z

Reserved: 2026-04-15T16:37:22.767Z

Link: CVE-2026-40906

cve-icon Vulnrichment

Updated: 2026-04-22T13:47:08.906Z

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:44.697

Modified: 2026-04-22T14:17:02.420

Link: CVE-2026-40906

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-21T20:05:51Z

Links: CVE-2026-40906 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:21Z

Weaknesses