CVE-2026-44635 - Vulnerability Details

Description

Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters (., [, ], *, **, ?). When attacker-controlled input flows into eb.ref(col, '->$').key(input) or .at(input) — including type-safe code where the JSON column is shaped like Record<string, T> so K extends string is the inferred type — every dot becomes a path-leg separator, letting an attacker traverse from the intended key into sibling and child fields the developer never meant to expose. The result is read access (and, in update statements, write access) to JSON sub-fields outside the intended scope across MySQL, PostgreSQL ->$/->>$, and SQLite. This vulnerability is fixed in 0.28.17.

Published: 2026-05-27

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Kysely, a type-safe TypeScript SQL query builder, contains an injection flaw where JSON‑path components supplied to JSONPathBuilder.key() or .at() are not escaped. Metacharacters such as dot, brackets and wildcards are interpreted literally, allowing an attacker to craft a JSON‑path string that traverses beyond the intended key. The flaw permits read access to hidden sibling or child fields and, in update statements, write access to any JSON sub‑field. This results in potential data exfiltration or tampering against the JSON payload stored in MySQL, PostgreSQL, or SQLite.

Affected Systems

The vulnerability affects Kysely versions 0.26.0 through 0.28.16. The product is Kysely (kysely‑org:kysely). Any deployment using MySQL, PostgreSQL, or SQLite and that executes code paths that call eb.ref(col, '->$').key(input) or .at(input) with user‑controlled input is susceptible.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level. EPSS information is not available, so the precise likelihood of exploitation is uncertain, but the vulnerability is not listed in the CISA KEV catalog and no publicly noted exploits exist. Attackers would need to influence the value passed to key() or .at(), typically by providing specially crafted input to an API endpoint that accepts JSON‑path values. Successful exploitation could grant read or write access to arbitrary JSON fields in the database.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kysely-org

kysely

affected

Version	Status	Constraints
`>= 0.26.0, < 0.28.17`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Kysely to version 0.28.17 or later, which encodes JSON‑path metacharacters
Audit all usages of JSONPathBuilder.key() or .at() to ensure no user‑supplied data is passed without validation
Implement input validation or sanitization on any variables that contribute to the JSON‑path string before constructing the query

Generated by OpenCVE AI on May 27, 2026 at 19:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-pv5w-4p9q-p3v2	Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/kysely-org/kysely/security/advisories/GHSA-pv5w-4p9q-p3v2

History

Wed, 27 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters (., [, ], , *, ?). When attacker-controlled input flows into eb.ref(col, '->$').key(input) or .at(input) — including type-safe code where the JSON column is shaped like Record<string, T> so K extends string is the inferred type — every dot becomes a path-leg separator, letting an attacker traverse from the intended key into sibling and child fields the developer never meant to expose. The result is read access (and, in update statements, write access) to JSON sub-fields outside the intended scope across MySQL, PostgreSQL ->$/->>$, and SQLite. This vulnerability is fixed in 0.28.17.
Title		Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`
Weaknesses		CWE-1284 CWE-22 CWE-89 CWE-915
References		https://github.com/kysely-org/kysely/security/advisories/GHSA-pv5w-4p9q-p3v2
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T18:21:57.026Z

Updated: 2026-05-27T18:21:57.026Z

Reserved: 2026-05-07T15:30:10.875Z

Link: CVE-2026-44635

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-27T19:16:20.947

Modified: 2026-05-27T19:16:20.947

Link: CVE-2026-44635

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T19:15:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object