VYPR
← All advisories
High severity7.5GHSA Advisory· Published May 19, 2026· Updated May 19, 2026

SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser

CVE-2026-46374

Description

Impact

In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion.

Patches

Versions 4.2.0 and up contain a configurable parse node limit, which is enabled by default, to prevent this manner of exploit.

Credit

Ori Nakar from Imperva Threat Research Team.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQLFluff parser before 4.2.0 allows denial of service via resource exhaustion when untrusted users submit malicious long SQL queries.

Vulnerability

SQLFluff is a SQL linter and formatter. In versions prior to 4.2.0, the parser does not limit the number of parse nodes, allowing an attacker to submit a crafted long SQL query that causes excessive resource consumption. This affects any application that exposes the parser to untrusted user input. [1][2]

Exploitation

An attacker needs only network access to submit a malicious SQL query to an application using the vulnerable parser. No authentication or special privileges are required. The attacker crafts a long query that triggers deep parsing, exhausting CPU and memory resources. [2][3]

Impact

Successful exploitation leads to denial of service (availability impact) as the parser consumes excessive resources, potentially causing the application to become unresponsive or crash. No confidentiality or integrity impact is reported. [2][3]

Mitigation

The fix is included in SQLFluff version 4.2.0, which introduces a configurable parse node limit enabled by default. Users should upgrade to 4.2.0 or later. No workaround is available for earlier versions. [2][3]

References
  1. GitHub - sqlfluff/sqlfluff: A modular SQL linter and auto-formatter with support for multiple dialects and templated code.
  2. CVE-2026-46374 - GitHub Advisory Database
  3. Uncontrolled Resource Consumption in SQLFluff Parser

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.