CVE-2026-52758: Ghidra SQL Injection in BSim Filter (CVSS 8.8)
Ghidra, the NSA's reverse-engineering toolkit, contains a SQL injection flaw in its BSim (Binary Similarity) feature before version 12.1. An attacker with network access and valid credentials can craft malicious queries through BSim's network protocol to inject SQL commands directly into the underlying PostgreSQL database. This allows reading sensitive data, modifying existing records, or destroying data outright. The vulnerability requires authentication, but the impact if exploited is severe.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-89
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-14
NVD description (verbatim)
Ghidra before 12.1 contains a SQL injection vulnerability in BSim filter types that concatenate user-supplied values directly into SQL queries without escaping or parameterization. Remote attackers can inject arbitrary SQL via the BSim network query protocol to read, modify, or delete data in the PostgreSQL database.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-52758 is a SQL injection vulnerability (CWE-89) affecting Ghidra's BSim filter functionality. The BSim network query protocol concatenates user-supplied filter values directly into SQL queries without parameterization or input escaping before execution against the PostgreSQL backend. An authenticated remote attacker can leverage this to inject arbitrary SQL commands, gaining full database read, write, and delete capabilities. The CVSS 3.1 score of 8.8 (HIGH) reflects the high confidentiality, integrity, and availability impact, with low attack complexity but requiring prior authentication (PR:L). This represents a classic, high-confidence SQL injection pattern in a widely-used reverse-engineering platform.
Business impact
For organizations using Ghidra in security research, malware analysis, or firmware assessment workflows, this vulnerability poses a significant risk to sensitive analysis data and intellectual property. Compromised BSim databases could leak function signatures, sample metadata, or analysis notes to competitors or adversaries. In incident response and forensics contexts, database tampering could undermine the integrity of investigation records. The authentication requirement limits blast radius but means insider threats or compromised tool accounts become a critical escalation vector. Patching is urgent for any multi-user BSim deployment.
Affected systems
All versions of Ghidra before 12.1 are vulnerable. The flaw specifically affects deployments using BSim with network-accessible query functionality, particularly those backed by PostgreSQL. Organizations running Ghidra as a standalone application without network BSim may have lower risk, but shared BSim repositories accessed over networks are the primary attack surface. Check your Ghidra installation version and verify whether BSim network queries are enabled and accessible from untrusted network segments.
Exploitability
Exploitability is moderate to high in practical scenarios. The vulnerability requires an attacker to have valid credentials for BSim access (PR:L per CVSS), which rules out fully unauthenticated attacks. However, in environments where Ghidra accounts are shared, weak credentials, or single-sign-on is poorly scoped, credential compromise becomes a likely stepping stone. Network accessibility (AV:N) and low attack complexity (AC:L) mean the actual SQL injection payload is trivial to craft once authenticated. No user interaction or special system configuration is needed beyond network reachability. The lack of a public exploit does not significantly lower practical risk, as SQL injection payloads for PostgreSQL are well-documented.
Remediation
Upgrade Ghidra to version 12.1 or later, which includes input sanitization and parameterized query logic for all BSim filter operations. Before upgrading, audit your BSim database access logs for any suspicious query patterns or unusual data modifications. If immediate patching is not feasible, restrict network access to BSim query endpoints via firewall rules or network segmentation, allowing only trusted analyst workstations. Rotate credentials for accounts with BSim access and monitor for unauthorized authentication attempts. Consider temporarily disabling remote BSim queries until patches are applied.
Patch guidance
Patch availability: Ghidra 12.1 or later contains the fix. Verify the release notes and changelog against the NSA Ghidra GitHub repository or official distribution channels. Deployment steps: back up your BSim database before upgrading, test the upgrade in a non-production environment first, and plan for brief downtime if BSim services are actively in use. Roll back procedures should be documented in case the new version introduces compatibility issues with existing analysis data. Post-upgrade, validate that BSim queries still function correctly and that historical analysis remains intact.
Detection guidance
Monitor PostgreSQL logs for unusual SQL patterns in BSim-related queries, including UNION, DROP, INSERT, or UPDATE statements in places where only SELECT queries should occur. Review Ghidra application logs for authentication failures or unusual BSim network requests. Use database activity monitoring (DAM) or query auditing tools if available. Check for unexpected database schema changes or missing tables. In high-security environments, enable full SQL query logging on the PostgreSQL backend and correlate timestamps with Ghidra client activities. Look for evidence of data exfiltration (large SELECT results) or destructive operations during the window before the vulnerability was discovered or patched.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH CVSS score (8.8), direct impact on data confidentiality and integrity, and the sensitivity of reverse-engineering and security analysis data that Ghidra typically handles. Although authentication is required, the simplicity of SQL injection exploitation and the potential for lateral movement through compromised credentials make it a natural escalation vector in breach scenarios. For organizations with mature reverse-engineering or incident response programs, BSim repositories often contain irreplaceable analytical work; loss or corruption would be operationally devastating.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects: (1) Network attack surface (AV:N) — BSim can be queried remotely; (2) Low attack complexity (AC:L) — SQL injection requires no special conditions; (3) Low privilege requirement (PR:L) — valid BSim credentials are needed, a significant but not insurmountable barrier; (4) No user interaction (UI:N) — the attack is automated; (5) Unchanged scope (S:U); (6) High confidentiality, integrity, and availability impact (C:H/I:H/A:H) — full database read, write, delete. The 8.8 HIGH rating appropriately captures this as a serious vulnerability requiring swift remediation, especially in networked multi-user deployments.
Frequently asked questions
Can this vulnerability be exploited without valid Ghidra credentials?
No. The CVSS vector requires PR:L (low privilege), meaning the attacker must have a legitimate BSim user account or valid credentials. However, in environments with shared accounts, default credentials, or weak access controls, obtaining credentials is often straightforward.
Does upgrading to Ghidra 12.1 break existing BSim databases or analysis data?
Ghidra 12.1 includes input sanitization fixes but maintains backward compatibility with existing BSim repositories. Always test the upgrade in a non-production environment first and back up your database, but data loss due to the patch itself is not expected.
What if we're using Ghidra in standalone mode without BSim networking?
Standalone Ghidra installations without remote BSim queries have minimal exposure to this vulnerability. However, if you ever plan to enable BSim networking or share analysis data across a team, patching is still recommended as a preventive measure.
Are there compensating controls if we cannot patch immediately?
Yes. Implement network segmentation to restrict BSim query traffic to trusted internal networks only, require VPN access for remote analysts, rotate BSim credentials frequently, and enable detailed PostgreSQL query logging to detect exploitation attempts. These reduce risk significantly but do not eliminate it.
This analysis is provided for informational purposes and reflects the vulnerability details as of the publication date. Security assessments, patch timing, and risk prioritization should be adapted to your specific environment, threat model, and operational constraints. Consult the NSA Ghidra official repository and security advisories for the most current patch and deployment information. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence and recommends independent verification of all findings before making security decisions. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-49498HIGHGhidra PostgreSQL SQL Injection – Privilege Escalation Vulnerability
- CVE-2016-20062HIGHSQL Injection in Simply Poll 1.4.1 WordPress Plugin - Unauthenticated Data Theft
- CVE-2016-20063HIGHSQL Injection in Single Personal Message 1.0.3 – Credential & Data Theft Risk
- CVE-2016-20065HIGHUnauthenticated SQL Injection in Product Catalog 8 WordPress Plugin
- CVE-2017-20243HIGHWordPress Car Park Booking Plugin SQL Injection Vulnerability
- CVE-2017-20244HIGHSQL Injection in Wow Forms WordPress Plugin v2.1 – Critical Unauth Database Extraction
- CVE-2017-20245HIGHWow Viral Signups Plugin SQL Injection Vulnerability – Analysis & Patches
- CVE-2017-20246HIGHKittyCatfish 2.2 SQL Injection Vulnerability – WordPress Plugin Security Alert