Description
SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.2.0.
Published: 2026-06-09
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SQLFluff’s parser consumes an unbounded amount of resources when it processes an excessively long query. The bug allows a malicious query to exhaust memory and CPU, resulting in an application or service crash or unresponsive state. The weakness is a classic resource exhaustion flaw, classified as CWE-400, and its primary consequence is the loss of service availability.

Affected Systems

Any installation of SQLFluff prior to version 4.2.0 that accepts user‑supplied SQL for linting or formatting is affected. This includes all projects, frameworks, or tools that depend on the older SQLFluff library, regardless of the SQL dialect or templating engine used.

Risk and Exploitability

The CVSS score of 7.5 marks this issue as high, and the lack of an EPSS score or KEV listing means no published exploitation statistics are available. Attackers who can submit SQL queries – for example, through a public linting API, a web interface, or a continuous‑integration pipeline – can trigger the denial of service by sending a query that is far larger than the typical expected size. The vulnerability has already been patched in 4.2.0, so the risk is mitigated by upgrading.

Generated by OpenCVE AI on June 10, 2026 at 00:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to SQLFluff version 4.2.0 or later to apply the parser fix.
  • If upgrading is not immediately possible, enforce application‑level query size limits before linting to prevent resource exhaustion.
  • Run linting operations in a sandboxed or restricted environment and monitor resource usage to detect and interrupt runaway processes.

Generated by OpenCVE AI on June 10, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-73jc-5mrq-prw7 SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser
History

Tue, 09 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.2.0.
Title SQLFluff: Uncontrolled Resource Consumption in Parser
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T22:40:40.265Z

Reserved: 2026-05-13T19:53:47.921Z

Link: CVE-2026-46374

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T23:16:59.313

Modified: 2026-06-09T23:16:59.313

Link: CVE-2026-46374

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:30:17Z

Weaknesses