The flaw is a classic SQL injection attack (CWE‑89) located in the changePassword() routine of Ghidra’s PostgreSQL database handler. When an authenticated user supplies a specially crafted username, the embedded double quotes are not escaped, allowing the attacker to insert arbitrary SQL into the ALTER ROLE command. This injection can be used to grant superuser privileges and ultimately provide full control over the PostgreSQL database. As a result, an attacker can compromise data confidentiality, integrity, and availability for the entire database instance.

The vulnerability affects the National Security Agency’s Ghidra application, versions 11.0 through any release before 12.1. Users operating those versions with a PostgreSQL backend are at risk if the changePassword API is exposed to authenticated clients.

The CVSS score of 8.7 indicates high severity, and the vulnerability is not yet tracked in the CISA KEV list. Because the flaw is triggered by a network request that requires authentication, the likely attack vector is a credentialed attacker who can log into Ghidra and send a password‑change command as a normal user. While the EPSS score for this specific entry is not available, the fact that the flaw enables full superuser access means that, if exploited, the impact would be catastrophic for the database system. The vulnerability has no restrictions on the attack’s ability to send malicious SQL, so exploitation should be straightforward for anyone with network access to the Ghidra service and valid credentials.