HIGH 8.8

CVE-2026-49498: Ghidra PostgreSQL SQL Injection – Privilege Escalation Vulnerability

Ghidra versions 11.0 through 12.0 contain a SQL injection flaw in the password-change functionality of its PostgreSQL database integration. An authenticated user can manipulate their username to inject malicious SQL commands, ultimately gaining superuser access to the entire PostgreSQL database. This is a post-authentication attack that requires valid credentials but can lead to complete database compromise.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-89
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-07-14

NVD description (verbatim)

Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in PasswordChange network messages to escalate to PostgreSQL superuser privileges and gain full database control.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the changePassword() method of PostgresFunctionDatabase, where user-supplied usernames are interpolated directly into ALTER ROLE SQL statements without proper escaping of double-quote characters. An attacker with valid Ghidra credentials can craft a PasswordChange network message containing a specially formatted username that breaks out of the intended SQL context and injects arbitrary commands. The unescaped double quotes allow the attacker to close the username string prematurely and append malicious SQL, such as granting superuser privileges to their own role. This is a classic SQL injection scenario (CWE-89) enabled by insufficient input sanitization in a database abstraction layer.

Business impact

Successful exploitation grants an authenticated attacker complete control over the PostgreSQL database backend used by Ghidra. This includes the ability to read, modify, or delete any data stored in that database, create new superuser accounts for persistence, and potentially pivot to other systems that depend on the database. For organizations using Ghidra in security-sensitive contexts (reverse engineering, vulnerability analysis, incident response), database compromise exposes analysis projects, metadata, and collaboration records. The attack requires valid Ghidra credentials but can escalate a regular user's privilege far beyond their intended scope.

Affected systems

NSA Ghidra versions 11.0 through 12.0 (inclusive) are affected when configured to use PostgreSQL as the backend database for collaborative or multi-user deployments. Single-user Ghidra installations that do not use PostgreSQL are not vulnerable. Standalone Ghidra instances using the embedded database are also not affected. The vulnerability is specific to the PostgresFunctionDatabase component, so deployments relying on other database backends do not face this particular risk.

Exploitability

Exploitation requires valid Ghidra credentials and network access to the PostgreSQL database layer. The attack is straightforward to execute: an authenticated user simply modifies the username field in a PasswordChange message with a crafted payload containing unescaped double quotes and SQL injection syntax. No complex multi-stage attack or race condition is necessary. The relatively low barrier to exploitation (valid credentials + straightforward injection) combined with the high impact (superuser database access) makes this a material risk for any multi-user Ghidra deployment. The CVSS 3.1 score of 8.8 reflects the high confidentiality, integrity, and availability impact, moderated only by the requirement for prior authentication.

Remediation

Upgrade Ghidra to version 12.1 or later, which properly escapes double quotes and other special characters in username parameters before constructing ALTER ROLE statements. Organizations unable to upgrade immediately should restrict network access to the PostgreSQL database to only trusted Ghidra application servers, implement database activity monitoring to detect unusual ALTER ROLE or privilege-escalation commands, and enforce strong authentication policies to reduce the number of valid accounts that could be compromised.

Patch guidance

NSA has released Ghidra 12.1 with a fix for this vulnerability. Update all affected Ghidra deployments to version 12.1 or later. Verify the patch by confirming the version number in Ghidra's About dialog or via the command line (ghidra_version command). Test the upgrade in a non-production environment first to ensure compatibility with existing databases and client configurations. Review release notes for any breaking changes or migration steps.

Detection guidance

Monitor PostgreSQL audit logs for unexpected ALTER ROLE statements, especially those granting superuser privileges or altering role attributes for accounts that should not have such permissions. Look for PasswordChange network messages containing usernames with unusual characters (double quotes, semicolons, SQL keywords) in Ghidra network traffic captures or application logs. Enable verbose logging in PostgresFunctionDatabase if available. Inspect database user accounts for unauthorized privilege escalations or new superuser roles created without administrative approval. Query the PostgreSQL system catalog (pg_roles) for unexpected role modifications.

Why prioritize this

This vulnerability merits high priority because it combines easy exploitability (for authenticated users) with severe impact (full database control). While it requires valid Ghidra credentials, insider threats, compromised accounts, or lateral movement from other breached systems can rapidly lead to database compromise. Any organization running multi-user Ghidra should treat this as a priority patch candidate, especially if the PostgreSQL backend stores sensitive reverse-engineering or security analysis data.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects the high impact across confidentiality, integrity, and availability (all rated High in the vector). The attack vector is network-based, access complexity is low, and no user interaction is required beyond the attacker's own authentication. The primary mitigating factor is the requirement for prior valid credentials (PR:L), which prevents unauthenticated exploitation. Organizations with strong access controls and credential hygiene can reduce practical risk, but the intrinsic severity remains high.

Frequently asked questions

Does this affect Ghidra if I'm not using PostgreSQL as the database backend?

No. This vulnerability is specific to the PostgresFunctionDatabase component, which is only used when Ghidra is configured with a PostgreSQL backend for multi-user or collaborative deployments. Single-user Ghidra installations using the embedded database, or deployments using other database systems, are not affected.

Can this vulnerability be exploited by unauthenticated users?

No. The vulnerability requires valid Ghidra credentials. An attacker must first authenticate to Ghidra before they can send a crafted PasswordChange message. However, once authenticated, the attacker can escalate their privileges to PostgreSQL superuser without requiring any special permissions within Ghidra itself.

What should I do if I cannot upgrade immediately?

Restrict network access to your PostgreSQL database to only the Ghidra application server, implement database activity monitoring to detect privilege-escalation attempts, enforce strong authentication to limit the number of valid Ghidra accounts, and consider temporarily disabling remote access to Ghidra if not operationally critical. Plan an upgrade to version 12.1 or later as soon as feasible.

How do I verify that my Ghidra deployment is affected?

Check your Ghidra version (Help > About Ghidra) and confirm you are running version 11.0 through 12.0. Verify that your Ghidra server is configured to use PostgreSQL as its backend database by checking the server configuration or database connection settings. If both conditions are true, your deployment is affected and should be upgraded.

This analysis is provided for informational purposes and reflects the state of the vulnerability as of the publication date. SEC.co does not guarantee the completeness or accuracy of all details and recommends verification against official vendor advisories and your own security testing. Patch version numbers and affected versions should be validated against NSA's official Ghidra release notes before deployment. Organizations should conduct their own risk assessment based on their deployment architecture, data sensitivity, and threat model. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).