Description
SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.1.0.
Published: 2026-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SQLFluff, a SQL linter and formatter, contains a parser bug that allows an adversary to craft a query with exceptionally deep nesting. The recursive parsing logic can overflow the call stack, exhausting system resources and causing the application to halt, which manifests as a denial of service. The weakness is a classic stack overflow flaw, classified as CWE‑674.

Affected Systems

The vulnerability is present in all installations of the sqlfluff module prior to version 4.1.0. Any instance that accepts SQL input from untrusted parties and passes it to the parser is affected. The fix is included beginning with the 4.1.0 release.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity and the lack of an EPSS value means current exploitation probability is unknown. Because untrusted users can submit arbitrary SQL, the attack vector is client‑initiated. The vulnerability is not listed in CISA’s KEV catalog, but its potential to crash services in production environments makes it a significant risk.

Generated by OpenCVE AI on June 10, 2026 at 00:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to sqlfluff v4.1.0 or newer to remove the stack overflow bug.
  • If an immediate upgrade is not feasible, restrict parser usage to trusted sources or implement strict input validation that limits nesting depth.
  • Deploy application‑level resource limits or timeouts to contain the impact of any accidental or delayed DoS attempts.

Generated by OpenCVE AI on June 10, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wmhf-fqc8-vxhh SQLFluff: Recursive Stack Overflow in Parser
History

Fri, 12 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sqlfluff:sqlfluff:*:*:*:*:*:*:*:*

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Sqlfluff
Sqlfluff sqlfluff
Vendors & Products Sqlfluff
Sqlfluff sqlfluff

Tue, 09 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.1.0.
Title SQLFluff: Recursive Stack Overflow in Parser
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Sqlfluff Sqlfluff
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T14:28:18.985Z

Reserved: 2026-05-13T19:53:47.921Z

Link: CVE-2026-46373

cve-icon Vulnrichment

Updated: 2026-06-10T14:28:15.913Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T23:16:59.167

Modified: 2026-06-12T14:10:04.250

Link: CVE-2026-46373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:30:05Z

Weaknesses