CVE-2026-6093

Corteza [2], an open-source low-code platform, is vulnerable to a SQL injection attack in its Microsoft SQL Server backend when filtering Compose records by the meta field. The root cause is a combination of two bugs: the jsonPath function in server/store/adapters/rdbms/drivers/mssql/json.go escapes a single quote with a backslash (\'), which is not a valid T-SQL string escape sequence (T-SQL requires ''), allowing a single quote to terminate the SQL string literal early. Additionally, payload.ParseMeta in Meta in server/pkg/payload/util.go skips validation of the key format when the input is a JSON object, enabling arbitrary characters—including single quotes—in the keys [1].

An authenticated attacker with records.search permission on a module with a meta attribute can exploit this by sending a crafted HTTP GET request with a JSON object in the meta parameter containing a malicious key. The backslash escape fails, and the injected single quote breaks out of the string, allowing the attacker to inject arbitrary SQL to be appended to the JSON_VALUE / CASE expression [1]. The vulnerability is specific to deployments using the MSSQL backend; other databases are not affected.

Successful exploitation permits arbitrary SQL commands against the MSSQL database, potentially leading to data theft, modification, privilege escalation, or full database compromise, depending on the permissions of the application's database account [1].

As of the advisory publication date, no official patch has been released for Corteza 2024.9.8 [1]. Users should restrict access to the vulnerable endpoint, apply input validation, or upgrade to a patched version once available.