SQLFluff Uncontrolled Resource Consumption Vulnerability (CVE-2026-46374)

hello@craftedsignal.io — Tue, 19 May 2026 20:13:42 +0000

SQLFluff versions before 4.2.0 are susceptible to an uncontrolled resource consumption vulnerability (CVE-2026-46374). This flaw enables an attacker to exhaust system resources by providing a specially crafted, excessively long SQL query to the SQLFluff parser. This can lead to a Denial-of-Service (DoS) condition, impacting applications that rely on SQLFluff for SQL query linting. The vulnerability was reported by Ori Nakar from Imperva Threat Research Team. Version 4.2.0 introduces a configurable parse node limit to mitigate this vulnerability, preventing the parser from processing excessively complex queries. Exploitation requires untrusted users to be able to submit SQL queries for linting.

Attack Chain

An attacker crafts an extremely long and complex SQL query designed to consume excessive resources during parsing.
The attacker submits the malicious SQL query to an application that uses a vulnerable version of SQLFluff (prior to 4.2.0) for linting purposes.
The application passes the query to the SQLFluff parser.
The SQLFluff parser attempts to process the extremely long and complex SQL query.
Due to the lack of input validation and resource limits in vulnerable versions, the parser consumes excessive CPU and memory.
The application’s performance degrades significantly as system resources are exhausted.
The application becomes unresponsive or crashes due to the resource exhaustion, leading to a denial-of-service.
Legitimate users are unable to access the application or its SQL linting functionality.

Impact

Successful exploitation of this vulnerability can result in a denial-of-service condition, rendering applications relying on SQLFluff unavailable. The impact is particularly significant in environments where untrusted users can submit arbitrary SQL queries for linting, as it allows malicious actors to easily disrupt service availability. There is no specific victim count available. This affects any environment using SQLFluff prior to version 4.2.0.

Recommendation

Upgrade SQLFluff to version 4.2.0 or later to incorporate the fix for CVE-2026-46374.
Implement input validation and sanitization on SQL queries submitted for linting to prevent excessively long or complex queries from reaching the SQLFluff parser.
Monitor system resource utilization (CPU, memory) on systems running SQLFluff to detect potential resource exhaustion attacks. Consider deploying the Sigma rule Detect SQLFluff Excessive Query Length to identify potentially malicious queries based on their length.
Configure the parse node limit in SQLFluff 4.2.0 and later to restrict the resources consumed by the parser when processing complex SQL queries.

SQLFluff Recursive Stack Overflow Vulnerability (CVE-2026-46373)

hello@craftedsignal.io — Tue, 19 May 2026 20:10:45 +0000

SQLFluff versions prior to 4.1.0 are vulnerable to a denial-of-service (DoS) attack (CVE-2026-46373) stemming from a recursive stack overflow in the parser. This vulnerability occurs when an untrusted user submits a malicious SQL query containing excessive nesting. The excessive nesting leads to unbounded recursion during parsing, which exhausts system resources and results in a DoS condition. The Imperva Threat Research Team discovered and reported this vulnerability. SQLFluff is commonly used for linting SQL queries, and deployments that allow untrusted users to submit SQL queries for linting are particularly at risk. Version 4.1.0 and later contain a configurable recursion limit, enabled by default, which effectively mitigates this vulnerability.

Attack Chain

An attacker identifies a target application that utilizes SQLFluff for SQL query linting and accepts user-provided SQL queries.
The attacker crafts a malicious SQL query with deliberate, excessive nesting of SQL constructs (e.g., nested SELECT statements, subqueries, or deeply nested expressions).
The attacker submits the crafted SQL query to the target application.
The target application passes the SQL query to SQLFluff for linting.
SQLFluff’s parser attempts to parse the deeply nested SQL query, leading to uncontrolled recursion.
The recursion consumes excessive stack memory and CPU resources.
The application’s resources become exhausted, leading to a denial-of-service condition.
The target application becomes unresponsive or crashes, impacting availability for legitimate users.

Impact

Successful exploitation of this vulnerability results in a denial-of-service condition, rendering the target application unresponsive or unavailable. The severity of the impact depends on the criticality of the affected application and the scale of its user base. While the number of victims is unknown, any system using affected versions of SQLFluff and processing untrusted queries could be impacted. This affects systems where users can supply SQL queries for testing or linting.

Recommendation

Upgrade SQLFluff to version 4.1.0 or later to benefit from the implemented recursion limit, mitigating CVE-2026-46373.
Implement input validation and sanitization measures to limit the complexity and depth of user-supplied SQL queries, even if SQLFluff is upgraded.
Monitor CPU and memory usage of systems running SQLFluff to detect potential DoS attacks. Deploy the Sigma rule Detect SQLFluff Excessive Recursion Attempt to identify suspicious command execution patterns.
If upgrading is not immediately feasible, consider implementing a rate-limiting mechanism to restrict the number of SQL query submissions from a single user or IP address within a specific timeframe.

Sqlfluff — CraftedSignal Threat Feed

SQLFluff Uncontrolled Resource Consumption Vulnerability (CVE-2026-46374)

Attack Chain

Impact

Recommendation

SQLFluff Recursive Stack Overflow Vulnerability (CVE-2026-46373)

Attack Chain

Impact

Recommendation