CVE-2026-49498
Description
Ghidra 11.0 before 12.1 has a SQL injection in PostgresFunctionDatabase's changePassword method, allowing authenticated users to gain PostgreSQL superuser privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ghidra 11.0 before 12.1 has a SQL injection in PostgresFunctionDatabase's changePassword method, allowing authenticated users to gain PostgreSQL superuser privileges.
Vulnerability
Ghidra versions 11.0 before 12.1 contain a SQL injection vulnerability within the changePassword() method of the PostgresFunctionDatabase class. The vulnerability arises because double quotes in usernames are not escaped when interpolated into ALTER ROLE SQL statements. This affects the PostgresFunctionDatabase.java file, specifically lines 107-108 [1].
Exploitation
An authenticated attacker can exploit this vulnerability by sending a crafted PasswordChange network message with a specially designed username. The username is retrieved via el.getAttribute("username") in PasswordChange.java and directly appended to the SQL query in PostgresFunctionDatabase.java without proper escaping or validation [1].
Impact
Successful exploitation allows any authenticated BSim user to escalate their privileges to PostgreSQL superuser. This grants the attacker full control over the database server, including the ability to read all data, modify system configurations, create new roles, and potentially execute operating system commands [1, 2].
Mitigation
Ghidra versions 12.1 and later contain a fix for this vulnerability. Users are advised to upgrade to a patched version. No workarounds are specified in the available references, and the vulnerability is listed under CWE-89 [2].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <12.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The changePassword() method in PostgresFunctionDatabase fails to escape double quotes in usernames interpolated into SQL statements."
Attack vector
An authenticated BSim user can craft a username containing double quotes to break out of the SQL identifier quoting. This crafted username is sent via the PasswordChange network protocol message. The application then interpolates this unescaped username directly into an ALTER ROLE SQL statement, allowing for SQL injection. This enables an attacker to execute arbitrary SQL commands.
Affected code
The vulnerability exists in the `changePassword()` method of `PostgresFunctionDatabase.java` within the Ghidra project. Specifically, lines 107-108 show the interpolation of the `username` directly into an `ALTER ROLE` SQL statement without proper escaping. The `username` is obtained from the `PasswordChange` network protocol message in `PasswordChange.java`.
What the fix does
The advisory indicates that the vulnerability is fixed by escaping double quotes within the username parameter before it is interpolated into the SQL statement. This prevents crafted usernames from breaking out of the SQL identifier quoting and executing arbitrary SQL commands. The patch ensures that the username is properly sanitized, mitigating the SQL injection risk.
Preconditions
- authThe attacker must be an authenticated BSim user.
- networkThe attack is delivered via a network message.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
1- National Security Agency's Ghidra: 15 Vulnerabilities Disclosed on June 10, 2026Vypr Intelligence · Jun 10, 2026