CVE-2026-46373
Denial of Service vulnerability in sqlfluff (PyPI)

Denial of Service No known exploit

What is CVE-2026-46373 About?

This denial of service vulnerability impacts systems that allow untrusted users to submit SQL queries for linting, due to excessive recursion in the parser. By crafting a query with deliberate excessive nesting, an attacker can trigger resource exhaustion and crash the application. The exploit is easily performed by submitting a malicious SQL query.

Affected Software

sqlfluff <4.1.0

Technical Details

The vulnerability arises in the SQL query parser when processing deliberately excessively nested SQL queries. The parser, if not configured with a recursion limit, recursively processes these nested structures, leading to resource exhaustion (e.g., stack overflow) and a denial-of-service condition. This occurs when untrusted users can provide SQL queries to be linted, allowing an attacker to submit a malicious query specifically designed to trigger unbounded recursion within the parsing logic.

What is the Impact of CVE-2026-46373?

Successful exploitation may allow attackers to trigger a denial of service through resource exhaustion, causing the application to become unresponsive or crash.

What is the Exploitability of CVE-2026-46373?

Exploitation is of low complexity. An attacker needs to be able to provide SQL queries to the affected application for linting. No specific authentication or high privileges are required, as the attack targets the parsing mechanism directly. This vulnerability can be exploited remotely if the application exposes an interface for users to submit arbitrary SQL queries. The primary condition for exploitation is the lack of a configured recursion limit in the parser. Deployments where untrusted users can influence the input to the SQL linter are at high risk.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-46373?

Available Upgrade Options

  • sqlfluff
    • <4.1.0 → Upgrade to 4.1.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-46373?

Similar Vulnerabilities: CVE-2023-4043 , CVE-2022-24320 , CVE-2021-38562 , CVE-2020-28052 , CVE-2019-14889

All Rights reserved 2025
Privacy Policy