CVE-2026-41478: Critical Vulnerability in Saltcorn

CVE-2026-41478 is a critical SQL injection vulnerability affecting Saltcorn, an open-source no-code database application builder. This vulnerability allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through mobile-sync parameters. The potential consequences of this vulnerability are severe, including full database exfiltration, which can lead to the compromise of admin password hashes and configuration secrets. Additionally, depending on the backend, it may enable unauthorized database modifications or even destruction.

The vulnerability exists in versions prior to 1.4.6, 1.5.6, and 1.6.0-beta.5. The CVSS score for this vulnerability is 9.9, classifying it as critical. This high score reflects the significant impact on confidentiality, integrity, and availability—indicating that organizations should prioritize patching immediately.

Currently, there are no known exploits available in the wild, but the nature of SQL injection vulnerabilities makes them commonly targeted by attackers. Organizations using affected versions of Saltcorn must take immediate action to remediate this vulnerability by updating to the fixed versions.

Risk to organizations includes unauthorized access to sensitive data, leading to potential breaches and compliance violations. Therefore, timely patching is critical to maintaining security.

Vulnerability Details

The vulnerability description is as follows: Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.

The vulnerability type is classified as SQL injection, with a CVSS score of 9.9, indicating a critical severity level. The affected versions include all versions prior to the aforementioned patches.

Technical Analysis

The root cause of CVE-2026-41478 is a failure to properly sanitize user input in the mobile-sync routes, allowing attackers to inject arbitrary SQL commands. The attack vector is network-based, with low complexity and requiring low privileges. User interaction is not required for successful exploitation.

The impact on confidentiality is high, as attackers may gain access to sensitive information, including admin credentials. Integrity can also be compromised, allowing unauthorized changes to the database, while availability could be affected if attackers destroy data.

Risk & Impact Analysis

Real-world deployment risk for this vulnerability is substantial, particularly for organizations utilizing Saltcorn in environments where sensitive data is managed. Given the critical nature of the vulnerability, organizations should address it in their priority patch cycle.

The blast radius potential is extensive, as the vulnerability affects all authenticated users with low privileges, enabling widespread access to sensitive database information. The urgency for remediation is underscored by the high CVSS score and the potential for exploitation.

Affected Versions

All versions prior to 1.4.6, 1.5.6, and 1.6.0-beta.5 are affected by this vulnerability. Organizations using Saltcorn should upgrade to these versions or later to mitigate the risk.

Mitigation & Remediation

Organizations should prioritize upgrading to Saltcorn versions 1.4.6, 1.5.6, or 1.6.0-beta.5 to address this vulnerability. If immediate upgrades are not possible, implementing input validation and sanitization on mobile-sync parameters can help mitigate risks.

Additionally, maintaining robust network controls and monitoring systems can detect unusual activities that may indicate exploitation attempts. Consider engaging in penetration testing to assess the security posture of your applications.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor for unusual SQL queries in application logs, particularly those originating from low-privilege user accounts. Behavioral anomalies, such as sudden spikes in database access or modifications, should also be flagged for investigation.

Network signatures can be implemented to detect attempts to inject SQL code through mobile-sync routes. Regular audits of database access patterns will also help in identifying suspicious activity.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2026-41478 lies in its representation of increasing SQL injection vulnerabilities within web applications. Security teams should take this as a reminder to assess their current application security practices and ensure that input validation is a priority.

This vulnerability exemplifies the potential risks associated with low-privilege user access. Organizations must implement principles of least privilege to minimize exposure and limit the potential impact of such vulnerabilities.

Security teams should consider leveraging resources like the penetration testing methodology and the vulnerability management program to enhance their security posture.

In summary, organizations utilizing Saltcorn must act swiftly to patch this critical vulnerability and evaluate their security practices to prevent future occurrences.