Description
SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.1.0.
Published: 2026-06-09
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SQLFluff, a SQL linter and formatter, contains a parser bug that allows an adversary to craft a query with exceptionally deep nesting. The recursive parsing logic can overflow the call stack, exhausting system resources and causing the application to halt, which manifests as a denial of service. The weakness is a classic stack overflow flaw, classified as CWE‑674.

Affected Systems

The vulnerability is present in all installations of the sqlfluff module prior to version 4.1.0. Any instance that accepts SQL input from untrusted parties and passes it to the parser is affected. The fix is included beginning with the 4.1.0 release.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity and the lack of an EPSS value means current exploitation probability is unknown. Because untrusted users can submit arbitrary SQL, the attack vector is client‑initiated. The vulnerability is not listed in CISA’s KEV catalog, but its potential to crash services in production environments makes it a significant risk.

Generated by OpenCVE AI on June 10, 2026 at 00:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to sqlfluff v4.1.0 or newer to remove the stack overflow bug.
  • If an immediate upgrade is not feasible, restrict parser usage to trusted sources or implement strict input validation that limits nesting depth.
  • Deploy application‑level resource limits or timeouts to contain the impact of any accidental or delayed DoS attempts.

Generated by OpenCVE AI on June 10, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wmhf-fqc8-vxhh SQLFluff: Recursive Stack Overflow in Parser
History

Tue, 09 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.1.0.
Title SQLFluff: Recursive Stack Overflow in Parser
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T22:38:33.313Z

Reserved: 2026-05-13T19:53:47.921Z

Link: CVE-2026-46373

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T23:16:59.167

Modified: 2026-06-09T23:16:59.167

Link: CVE-2026-46373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:30:17Z

Weaknesses