SQL Injection Vulnerability in Electric Postgres Sync Engine by Electric
CVE-2026-40906

10CRITICAL

Key Information:

Vendor: Electric-sql
Status: Electric
Vendor: CVE Published:; 21 April 2026

🔔 Create Electric-sql Vulnerability Alert

What is CVE-2026-40906?

The Electric Postgres Sync Engine, versions ranging from 1.1.12 to just before 1.5.0, contains a significant vulnerability within the order_by parameter of the ElectricSQL /v1/shape API. This flaw leaves the engine susceptible to error-based SQL injection attacks, which could enable authenticated users to manipulate the underlying PostgreSQL database. Through specifically crafted ORDER BY expressions, a malicious actor may gain access to sensitive data, modify existing records, or even erase database contents entirely. Users are advised to upgrade to version 1.5.0 or later, where this vulnerability has been addressed.

Affected Version(s)

electric >= 1.1.12, < 1.5.0

References

https://github.com/electric-sql/electric/security/advisor...

x_refsource_CONFIRM

https://github.com/electric-sql/electric/pull/4081

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40906 Data

JSON