{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/clickhouse/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-61461"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Dify"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-vulnerability","dify","clickhouse"],"_cs_type":"advisory","_cs_vendors":["langgenius"],"content_html":"\u003cp\u003eDify, an open-source LLM application development platform, is affected by CVE-2026-61461, a high-severity SQL injection vulnerability discovered in versions prior to 1.16.0-rc1. This flaw resides in the MyScale vector store backend, specifically within the \u003ccode\u003esearch_by_full_text\u003c/code\u003e method. The vulnerability arises because search parameters supplied to this method are not properly sanitized or parameterized, allowing an attacker with low privileges (CVSS:PR:L) to inject arbitrary SQL code. Successful exploitation can lead to unauthorized reading, modification, or deletion of sensitive data stored in the underlying ClickHouse database, posing a significant risk to data integrity and confidentiality within affected Dify deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Dify instance running a vulnerable version (prior to 1.16.0-rc1) configured to use the MyScale vector store backend.\u003c/li\u003e\n\u003cli\u003eThe attacker gains low-privileged access to the Dify application, as indicated by the CVSS 'PR:L' metric.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a Dify endpoint that utilizes the \u003ccode\u003esearch_by_full_text\u003c/code\u003e method in the MyScale backend.\u003c/li\u003e\n\u003cli\u003eThe request includes unsanitized search parameters containing SQL injection payloads, such as special characters, keywords like \u003ccode\u003eUNION SELECT\u003c/code\u003e, or comments.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003esearch_by_full_text\u003c/code\u003e method processes these parameters directly, without proper escaping or prepared statements.\u003c/li\u003e\n\u003cli\u003eThe injected SQL commands are then executed by the underlying ClickHouse database.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves unauthorized data access, modification, or deletion within the ClickHouse database, impacting confidentiality, integrity, or availability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-61461 can lead to severe consequences for organizations using affected Dify versions. Attackers can gain comprehensive control over the underlying ClickHouse database, enabling them to exfiltrate sensitive user data, application configurations, or proprietary information. Furthermore, they can modify or delete critical data, which could lead to severe data integrity issues, service disruption, and potential legal or compliance penalties. The high CVSS score of 8.8 reflects the significant potential for impact on confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-61461 by upgrading Dify to version 1.16.0-rc1 or newer immediately, as referenced in the provided GitHub releases.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect CVE-2026-61461 Exploitation - Dify MyScale SQL Injection\u0026quot; from this brief to your SIEM to detect attempts at SQL injection targeting Dify's \u003ccode\u003esearch_by_full_text\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for unusual request patterns, specifically looking for SQL injection keywords and special characters in \u003ccode\u003ecs-uri-query\u003c/code\u003e parameters, as indicated by the log source \u003ccode\u003ewebserver\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T19:23:06Z","date_published":"2026-07-10T19:23:06Z","id":"https://feed.craftedsignal.io/briefs/2026-07-dify-sql-injection/","summary":"A high-severity SQL injection vulnerability, CVE-2026-61461, exists in the MyScale vector store backend of Dify versions prior to 1.16.0-rc1, allowing attackers with low privileges to execute arbitrary SQL commands via unsanitized search parameters, leading to unauthorized data manipulation in the underlying ClickHouse database.","title":"Dify MyScale Backend SQL Injection Vulnerability (CVE-2026-61461)","url":"https://feed.craftedsignal.io/briefs/2026-07-dify-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Clickhouse","version":"https://jsonfeed.org/version/1.1"}