CVE-2026-42031
CKAN has Unauthenticated SQL Injection and Authorization Bypass in `datastore_search_sql`
Description
### Impact A vulnerability in `datastore_search_sql` allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information. ### Patches The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5 ### Workarounds Disable the DataStore SQL search (`ckan.datastore.sqlsearch.enabled = false`). Note that the SQL search is disabled by default. ### More information As stated in the [documentation](https://docs.ckan.org/en/2.11/maintaining/configuration.html#ckan-datastore-sqlsearch-enabled), this action function has protections that offer some safety but are not designed to prevent all types of abuse. Depending on the sensitivity of private data in a project's DataStore and the likelihood of abuse of a consuming site, a developer may choose to disable this action function or restrict its use with a [`IAuthFunctions`](https://docs.ckan.org/en/2.11/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IAuthFunctions) plugin. ### Credits * Reported by Arvin Shivram of Brutecat Security
How to fix CVE-2026-42031
To remediate CVE-2026-42031, upgrade the affected package to a fixed version below.
- —upgrade to 2.10.10 or later
Is CVE-2026-42031 being exploited?
Moderate — EPSS is 13.8%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 2.10.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |