CVE-2026-41478: Saltcorn SQL Injection Allows Full Database Compromise (CVSS 9.9)

Executive Summary

A critical SQL injection vulnerability (CVE-2026-41478) has been discovered in Saltcorn, an open-source no-code database application builder. The flaw carries a CVSS score of 9.9 — the highest possible for an authenticated vulnerability — and is classified as CWE-89: Improper Neutralization of Special Elements Used in an SQL Command.

The vulnerability exists in Saltcorn's mobile-sync routes and can be exploited by any authenticated user with read access to at least one table. A low-privilege attacker can inject arbitrary SQL to read, modify, or delete any data in the underlying database — including admin credentials — effectively achieving full application compromise.

Versions before 1.4.6, 1.5.6, and 1.6.0-beta.5 are affected. Administrators should update immediately.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-41478
CVSS Score	9.9 (Critical)
CWE	CWE-89 — SQL Injection
Type	SQL Injection / Privilege Escalation
Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low (any authenticated user)
User Interaction	None
Scope	Changed
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	High
Patch Available	Yes — 1.4.6, 1.5.6, 1.6.0-beta.5
NVD Status	Published 2026-04-24

Affected Versions

Product	Affected Versions	Fixed Version
Saltcorn (stable)	All versions before 1.4.6	1.4.6
Saltcorn (stable)	All versions before 1.5.6	1.5.6
Saltcorn (beta)	All versions before 1.6.0-beta.5	1.6.0-beta.5

Technical Analysis

Root Cause

Saltcorn's mobile-sync feature enables mobile app clients to synchronize table data with the server. The sync routes accept table and field identifiers from the client request and incorporate them directly into SQL queries without adequate parameterization or sanitization.

An attacker with a valid session (even the lowest-privilege user account) can send a crafted sync request with SQL-injected table or field names, causing the server to execute arbitrary SQL on the underlying database.

Attack Flow

1. Attacker has any valid Saltcorn account with read access to one table
2. Attacker sends a crafted POST request to the mobile-sync endpoint
3. The injected payload embeds additional SQL clauses in the query
4. Saltcorn's database driver executes the combined query without restriction
5. Attacker reads: all user records, credentials, admin password hashes
6. Attacker writes: create new admin account, modify existing records
7. Attacker achieves full application takeover

Example Injection Pattern

-- Legitimate sync query (simplified)
SELECT * FROM "user_table" WHERE id = ?
 
-- With SQL injection via table name parameter
SELECT * FROM "user_table" UNION SELECT id, email, password FROM "_sc_users"--

Why CVSS 9.9

The near-maximum score reflects:

Metric	Value	Reason
Low privilege	PR:L	Only requires a basic user account — no admin needed
No user interaction	UI:N	Fully server-side exploitation
Changed scope	S:C	Impact extends beyond the attacker's own data to all database contents
Full C/I/A impact	H/H/H	Complete read/write/delete access to all database tables

Saltcorn is used by organizations to build internal business applications, potentially storing sensitive employee data, customer records, financial information, and application credentials.

Impact Assessment

Impact Area	Description
Full Database Exfiltration	All tables, including admin credentials and sensitive records
Admin Account Compromise	Password hashes (or plaintext if stored) of all users including admins
Data Manipulation	Create, modify, or delete any record across any table
Authentication Bypass	Create new admin accounts for persistent access
Application Takeover	Full control of the Saltcorn instance and all hosted applications
Lateral Movement	Database credentials may grant access to other systems

Immediate Remediation

Step 1: Update Saltcorn

# npm global installation
npm update -g @saltcorn/cli
 
# Verify version
saltcorn --version
# Expected: 1.4.6, 1.5.6, or 1.6.0-beta.5+
 
# Docker-based deployments
docker pull saltcorn/saltcorn:latest
docker-compose up -d
 
# Check installed version in package.json
cat node_modules/@saltcorn/db-common/package.json | grep '"version"'

Step 2: Temporary Mitigation (If Immediate Update Is Not Possible)

If mobile sync is not required, disable it at the network or application level:

# Block mobile-sync routes via reverse proxy (nginx example)
location /api/mobile_sync {
    return 403;
}
 
# Or restrict to trusted IP ranges only
location /api/mobile_sync {
    allow 192.168.1.0/24;
    deny all;
}

Step 3: Audit for Compromise

-- Check for unexpected admin users created recently
SELECT email, role_id, created_at FROM users
WHERE role_id = 1
ORDER BY created_at DESC;
 
-- Look for anomalous data access patterns in Saltcorn logs
SELECT * FROM _sc_event_log
WHERE action LIKE '%sync%'
ORDER BY created_at DESC
LIMIT 100;

Step 4: Reset Credentials

After patching, reset all user passwords — particularly admin accounts — as hashes may have been exfiltrated:

# Via Saltcorn CLI
saltcorn reset-schema --force
# Then recreate admin user
 
# Or reset specific password
saltcorn set-admin-password --email admin@example.com --password <new-strong-password>

Detection Indicators

Indicator	Description
Unusual payloads in mobile-sync API logs	SQL keywords (UNION, SELECT, FROM) in sync request bodies
New admin user accounts created unexpectedly	Post-exploitation persistence via account creation
Database query errors in application logs	Error-based SQL injection attempts
Unexpected data exports or large response payloads	Successful data exfiltration via injection
Access to sync endpoint from unexpected IP addresses	External exploitation attempts

Post-Remediation Checklist

Update Saltcorn to 1.4.6, 1.5.6, or 1.6.0-beta.5 immediately
Audit admin and user accounts for unauthorized additions
Reset all user passwords, especially admin credentials
Review mobile-sync access logs for injection indicators
Restrict mobile-sync endpoint access if not needed
Enable WAF rules to detect SQL injection patterns in request bodies
Rotate database credentials if the database is shared with other services
Verify all application data for unauthorized modifications

References

Executive Summary

Versions before 1.4.6, 1.5.6, and 1.6.0-beta.5 are affected. Administrators should update immediately.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-41478
CVSS Score	9.9 (Critical)
CWE	CWE-89 — SQL Injection
Type	SQL Injection / Privilege Escalation
Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low (any authenticated user)
User Interaction	None
Scope	Changed
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	High
Patch Available	Yes — 1.4.6, 1.5.6, 1.6.0-beta.5
NVD Status	Published 2026-04-24

Affected Versions

Product	Affected Versions	Fixed Version
Saltcorn (stable)	All versions before 1.4.6	1.4.6
Saltcorn (stable)	All versions before 1.5.6	1.5.6
Saltcorn (beta)	All versions before 1.6.0-beta.5	1.6.0-beta.5

Technical Analysis

Root Cause

Attack Flow

1. Attacker has any valid Saltcorn account with read access to one table
2. Attacker sends a crafted POST request to the mobile-sync endpoint
3. The injected payload embeds additional SQL clauses in the query
4. Saltcorn's database driver executes the combined query without restriction
5. Attacker reads: all user records, credentials, admin password hashes
6. Attacker writes: create new admin account, modify existing records
7. Attacker achieves full application takeover

Example Injection Pattern

-- Legitimate sync query (simplified)
SELECT * FROM "user_table" WHERE id = ?
 
-- With SQL injection via table name parameter
SELECT * FROM "user_table" UNION SELECT id, email, password FROM "_sc_users"--

Why CVSS 9.9

The near-maximum score reflects:

Metric	Value	Reason
Low privilege	PR:L	Only requires a basic user account — no admin needed
No user interaction	UI:N	Fully server-side exploitation
Changed scope	S:C	Impact extends beyond the attacker's own data to all database contents
Full C/I/A impact	H/H/H	Complete read/write/delete access to all database tables

Saltcorn is used by organizations to build internal business applications, potentially storing sensitive employee data, customer records, financial information, and application credentials.

Impact Assessment

Impact Area	Description
Full Database Exfiltration	All tables, including admin credentials and sensitive records
Admin Account Compromise	Password hashes (or plaintext if stored) of all users including admins
Data Manipulation	Create, modify, or delete any record across any table
Authentication Bypass	Create new admin accounts for persistent access
Application Takeover	Full control of the Saltcorn instance and all hosted applications
Lateral Movement	Database credentials may grant access to other systems

Immediate Remediation

Step 1: Update Saltcorn

# npm global installation
npm update -g @saltcorn/cli
 
# Verify version
saltcorn --version
# Expected: 1.4.6, 1.5.6, or 1.6.0-beta.5+
 
# Docker-based deployments
docker pull saltcorn/saltcorn:latest
docker-compose up -d
 
# Check installed version in package.json
cat node_modules/@saltcorn/db-common/package.json | grep '"version"'

Step 2: Temporary Mitigation (If Immediate Update Is Not Possible)

If mobile sync is not required, disable it at the network or application level:

# Block mobile-sync routes via reverse proxy (nginx example)
location /api/mobile_sync {
    return 403;
}
 
# Or restrict to trusted IP ranges only
location /api/mobile_sync {
    allow 192.168.1.0/24;
    deny all;
}

Step 3: Audit for Compromise

-- Check for unexpected admin users created recently
SELECT email, role_id, created_at FROM users
WHERE role_id = 1
ORDER BY created_at DESC;
 
-- Look for anomalous data access patterns in Saltcorn logs
SELECT * FROM _sc_event_log
WHERE action LIKE '%sync%'
ORDER BY created_at DESC
LIMIT 100;

Step 4: Reset Credentials

After patching, reset all user passwords — particularly admin accounts — as hashes may have been exfiltrated:

# Via Saltcorn CLI
saltcorn reset-schema --force
# Then recreate admin user
 
# Or reset specific password
saltcorn set-admin-password --email admin@example.com --password <new-strong-password>

Detection Indicators

Indicator	Description
Unusual payloads in mobile-sync API logs	SQL keywords (UNION, SELECT, FROM) in sync request bodies
New admin user accounts created unexpectedly	Post-exploitation persistence via account creation
Database query errors in application logs	Error-based SQL injection attempts
Unexpected data exports or large response payloads	Successful data exfiltration via injection
Access to sync endpoint from unexpected IP addresses	External exploitation attempts

Post-Remediation Checklist

Update Saltcorn to 1.4.6, 1.5.6, or 1.6.0-beta.5 immediately
Audit admin and user accounts for unauthorized additions
Reset all user passwords, especially admin credentials
Review mobile-sync access logs for injection indicators
Restrict mobile-sync endpoint access if not needed
Enable WAF rules to detect SQL injection patterns in request bodies
Rotate database credentials if the database is shared with other services
Verify all application data for unauthorized modifications

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Attack Flow

Example Injection Pattern

Why CVSS 9.9

Impact Assessment

Immediate Remediation

Step 1: Update Saltcorn

Step 2: Temporary Mitigation (If Immediate Update Is Not Possible)

Step 3: Audit for Compromise

Step 4: Reset Credentials

Detection Indicators

Post-Remediation Checklist

References

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Attack Flow

Example Injection Pattern

Why CVSS 9.9

Impact Assessment

Immediate Remediation

Step 1: Update Saltcorn

Step 2: Temporary Mitigation (If Immediate Update Is Not Possible)

Step 3: Audit for Compromise

Step 4: Reset Credentials

Detection Indicators

Post-Remediation Checklist

References