Description
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information This vulnerability is fixed in 2.10.10 and 2.11.5.
Published: 2026-05-13
Score: 8.3 High
EPSS: 13.8% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in CKAN’s datastore_search_sql endpoint permits unauthenticated users to inject arbitrary SQL, allowing attackers to read private data and obtain PostgreSQL system information. The injection also bypasses normal authorization checks, effectively granting elevated privileges. The weakness is a classic SQL injection (CWE‑89) that can lead to confidentiality, integrity, and availability impacts on data exposed by a CKAN instance.

Affected Systems

CKAN implementations prior to versions 2.10.10 and 2.11.5 are vulnerable. The issue exists in the core datastore module used by CKAN data hubs and portals. All releases of the affected series without the patch are affected.

Risk and Exploitability

The CVSS score of 8.3 classifies the vulnerability as high severity. The EPSS score is 14%, indicating a moderate‑to‑high likelihood of exploitation. The public advisory indicates that the flaw is exploitable by unauthenticated web traffic. The vulnerability is not listed in CISA KEV, but its impact on data portals makes it a priority. Attackers only need to send a crafted query to the datastore_search_sql endpoint, with no additional credentials, to achieve the threat.

Generated by OpenCVE AI on May 22, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CKAN to version 2.10.10 or 2.11.5 (or later) to apply the vendor’s fix.
  • If an upgrade is not immediately possible, restrict access to the datastore_search_sql endpoint by configuring role permissions or firewall rules so that only authorized users can reach it.
  • Ensure all remaining SQL inputs in CKAN are properly parameterized or sanitized, following the recommendations for mitigations against CWE‑89, to prevent future injection vectors.

Generated by OpenCVE AI on May 22, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h7j7-3rx6-xvcg CKAN has Unauthenticated SQL Injection and Authorization Bypass in `datastore_search_sql`
History

Fri, 15 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Okfn
Okfn ckan
CPEs cpe:2.3:a:okfn:ckan:*:*:*:*:*:*:*:*
Vendors & Products Okfn
Okfn ckan
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 13 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Ckan
Ckan ckan
Vendors & Products Ckan
Ckan ckan

Wed, 13 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information This vulnerability is fixed in 2.10.10 and 2.11.5.
Title CKAN: Unauthenticated SQL Injection and Authorization Bypass in `datastore_search_sql`
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ckan Ckan
Okfn Ckan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T19:15:58.374Z

Reserved: 2026-04-23T16:05:01.708Z

Link: CVE-2026-42031

cve-icon Vulnrichment

Updated: 2026-05-15T19:13:54.031Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T19:17:22.637

Modified: 2026-05-15T14:59:11.840

Link: CVE-2026-42031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T15:15:09Z

Weaknesses