{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40342/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-40342"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["firebird","path-traversal","code-execution","cve-2026-40342","database"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFirebird, an open-source relational database management system, is vulnerable to a path traversal flaw (CVE-2026-40342) in versions prior to 5.0.4, 4.0.7, and 3.0.14. This vulnerability resides within the external engine plugin loader. The loader concatenates a user-supplied engine name into a filesystem path without proper sanitization, leaving it open to path traversal attacks. An authenticated user with \u003ccode\u003eCREATE FUNCTION\u003c/code\u003e privileges can craft a malicious \u003ccode\u003eENGINE\u003c/code\u003e name containing path separators and \u003ccode\u003e..\u003c/code\u003e components. This allows them to load an arbitrary shared library from anywhere on the filesystem. The library\u0026rsquo;s initialization code executes immediately upon loading, before Firebird can validate the module, effectively granting code execution under the security context of the server\u0026rsquo;s operating system account. Upgrading to versions 5.0.4, 4.0.7, or 3.0.14 resolves this issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Firebird database server with an account possessing \u003ccode\u003eCREATE FUNCTION\u003c/code\u003e privileges.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious \u003ccode\u003eENGINE\u003c/code\u003e name that includes path traversal sequences (e.g., \u003ccode\u003e../../../../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the crafted \u003ccode\u003eENGINE\u003c/code\u003e name in a \u003ccode\u003eCREATE FUNCTION\u003c/code\u003e statement, specifying a path to an arbitrary shared library on the filesystem. For example, \u003ccode\u003eCREATE FUNCTION evil_func RETURNS INTEGER ENGINE '/path/to/evil/../../../../tmp/evil.so'\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Firebird server\u0026rsquo;s plugin loader concatenates the provided \u003ccode\u003eENGINE\u003c/code\u003e name into a filesystem path without proper validation.\u003c/li\u003e\n\u003cli\u003eThe Firebird server attempts to load the shared library from the attacker-controlled path, effectively bypassing intended access controls.\u003c/li\u003e\n\u003cli\u003eThe operating system loads the shared library into the Firebird server\u0026rsquo;s process.\u003c/li\u003e\n\u003cli\u003eThe shared library\u0026rsquo;s initialization code executes immediately, granting the attacker arbitrary code execution within the context of the Firebird server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the Firebird server\u0026rsquo;s OS account, potentially leading to data exfiltration, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the Firebird server with the privileges of the operating system account running the Firebird service. This can lead to full system compromise, including data exfiltration, modification, or destruction. Given the high CVSS score of 9.9, this vulnerability poses a critical risk to organizations using vulnerable Firebird versions. The impact could range from complete database compromise to lateral movement within the network, depending on the privileges of the Firebird service account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Firebird servers to versions 5.0.4, 4.0.7, or 3.0.14 to patch CVE-2026-40342.\u003c/li\u003e\n\u003cli\u003eMonitor Firebird server logs for \u003ccode\u003eCREATE FUNCTION\u003c/code\u003e statements with suspicious \u003ccode\u003eENGINE\u003c/code\u003e names containing path traversal sequences, and deploy the Sigma rule \u003ccode\u003eDetect Firebird Create Function Path Traversal\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit \u003ccode\u003eCREATE FUNCTION\u003c/code\u003e privileges to only authorized users, and enable audit logging on all Firebird database servers to monitor user activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T20:16:35Z","date_published":"2026-04-17T20:16:35Z","id":"/briefs/2026-04-firebird-path-traversal/","summary":"An authenticated user with CREATE FUNCTION privileges can exploit a path traversal vulnerability in Firebird versions prior to 5.0.4, 4.0.7, and 3.0.14, to load an arbitrary shared library leading to code execution as the server's OS account.","title":"Firebird Path Traversal Vulnerability Leads to Code Execution (CVE-2026-40342)","url":"https://feed.craftedsignal.io/briefs/2026-04-firebird-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-40342","version":"https://jsonfeed.org/version/1.1"}