CVE-2026-46374: SQLFluff DoS Vulnerability – Resource Exhaustion in Parser
SQLFluff, a widely-used SQL linter and formatter, contains a denial-of-service vulnerability affecting versions prior to 4.2.0. An attacker who can submit SQL queries to an application using SQLFluff's parser can trigger resource exhaustion by crafting an exceptionally long query, causing the service to become unavailable. This risk is most acute in environments where untrusted users have direct access to linting functionality—such as shared development platforms, online SQL validators, or multi-tenant SaaS tools.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.2.0.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
SQLFluff prior to version 4.2.0 is vulnerable to resource exhaustion due to insufficient bounds checking or algorithmic complexity constraints when parsing deeply nested or extremely long SQL statements. The parser lacks adequate safeguards to reject or handle pathological input sizes, allowing an attacker to exhaust CPU, memory, or both. The vulnerability is triggered during the parsing phase itself, making it exploitable without authentication. The root cause falls under CWE-400 (Uncontrolled Resource Consumption), a classic denial-of-service vector in input processing libraries.
Business impact
For organizations running SQLFluff-integrated services, this vulnerability enables attackers to disrupt operational continuity. Online SQL linting platforms, CI/CD pipelines that enforce SQL style checks, and cloud-hosted developer tools become targets for denial-of-service attacks. A single malicious query submission can exhaust resources on shared infrastructure, affecting all users of that service. Downstream impacts include failed deployments, delayed code reviews, and loss of service availability—particularly damaging in agile environments relying on fast feedback loops.
Affected systems
SQLFluff versions prior to 4.2.0 are vulnerable. This includes all installations across all supported SQL dialects (T-SQL, PostgreSQL, BigQuery, Snowflake, etc.), as the vulnerability exists in the core parser logic independent of dialect-specific code. Any application or platform directly exposing SQLFluff's linting API to untrusted input—whether through a web service, API gateway, or embedded library—is at risk. Verify your installed version and check whether your deployment accepts user-supplied SQL queries.
Exploitability
Exploitability is high. The vulnerability requires no authentication, no user interaction, and minimal complexity: an attacker simply submits a crafted long or deeply nested SQL query over the network. The attack surface is broad for any internet-facing service. However, internal deployments where only trusted developers interact with SQLFluff face negligible risk. The CVSS 3.1 score of 7.5 (HIGH) reflects the network accessibility and lack of authentication barriers, though the impact is limited to availability rather than confidentiality or integrity.
Remediation
Upgrade SQLFluff to version 4.2.0 or later immediately. This patch addresses the resource exhaustion issue by implementing proper input validation and resource limits during parsing. Organizations unable to upgrade immediately should implement network-level controls: rate-limit SQL linting requests per user or IP, set query length caps before submission to the parser, and isolate linting services to prevent cascading failures.
Patch guidance
1. Update SQLFluff to 4.2.0 or later using your package manager (pip, conda, npm, etc.). Verify compatibility with your dialect and any custom extensions. 2. Test the upgraded version against your existing linting rules and CI/CD workflows to confirm no behavioral regressions. 3. Redeploy affected services and validate via smoke tests. 4. If running containerized deployments, rebuild and re-push images with the patched version. 5. Check dependency trees; if SQLFluff is a transitive dependency, ensure parent packages allow the upgrade.
Detection guidance
Monitor for anomalous spikes in CPU or memory usage coinciding with linting requests, particularly if submissions are unusually large. Enable query logging or request logging on linting endpoints to identify submissions with abnormally long SQL payloads. Look for repeated requests with progressively longer or more nested SQL structures—a hallmark of resource exhaustion testing. Set alerting thresholds on parser execution time; queries that consume disproportionate cycles may indicate exploitation attempts.
Why prioritize this
This vulnerability should be prioritized if your organization exposes SQLFluff linting to untrusted users or the internet. The combination of high exploitability (network access, no auth required) and operational impact (service downtime) justifies urgent patching. Internal-only deployments are lower priority unless the developer population includes adversarial actors or contractors. Factor in your service's criticality to your development workflow.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects a network-accessible denial-of-service vulnerability with no authentication required (AV:N/AC:L/PR:N/UI:N). The attack is straightforward and reliable. Severity is HIGH because availability impact is direct and complete. The score does not account for confidentiality or integrity, as neither is compromised—only service availability. Organizations with low risk tolerance for downtime and high-blast-radius services (e.g., multi-tenant platforms) should treat this as critical; internal tools may rate lower.
Frequently asked questions
Does this vulnerability affect offline or air-gapped SQLFluff deployments?
No. The vulnerability is triggered by submitting a malicious query to the parser. If SQLFluff is used solely offline or in a sandboxed environment with no user input, risk is minimal. Risk increases in any scenario where an untrusted user can submit a query to be linted.
Can I mitigate without upgrading?
Partial mitigation is possible: enforce strict input validation before queries reach SQLFluff (e.g., reject queries longer than N characters), rate-limit requests per user, and run the linter in an isolated container with resource caps. However, these are workarounds; upgrading to 4.2.0 is the definitive fix.
Will upgrading SQLFluff break my existing linting configuration?
Version 4.2.0 is a patch release and should maintain backward compatibility with configuration files and linting rules from 4.1.x. Always test in a non-production environment first to confirm, especially if you use custom plugins or extensions.
Is this vulnerability actively being exploited?
This vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting no widespread active exploitation as of the publication date. However, absence from KEV does not guarantee immunity; proof-of-concept code could be developed. Patch promptly regardless.
This analysis is provided for informational purposes and should not be construed as definitive guidance for your specific environment. Consult vendor advisories and your internal security policy before deploying patches. SEC.co does not warrant the accuracy or completeness of this advisory. Always verify patch compatibility and test in a controlled environment prior to production deployment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2024-14036HIGHDräger Core Denial of Service via Malformed SDC Messages
- CVE-2025-52293HIGHGPAC MP4Box HEVC Parser Denial of Service (CVSS 7.5)
- CVE-2026-10069HIGHShibby Tomato miniupnpd Resource Exhaustion Vulnerability
- CVE-2026-10143HIGHkafka-python SCRAM DoS – Event Loop Freeze Vulnerability
- CVE-2026-34713HIGHAdobe CAI Content Credentials Denial-of-Service Vulnerability
- CVE-2026-35266HIGHOracle REST Data Services Authentication & Data Integrity Vulnerability
- CVE-2026-35277HIGHOracle REST Data Services Authorization Bypass
- CVE-2026-37234HIGHFlexRIC E42 Resource Leak via Multiple xapp_id Binding