SQL Injection Vulnerability in Dagster's Dynamic Partition Configuration
CVE-2026-41490

8.3HIGH

Key Information:

Vendor: Dagster-io
Status: Dagster
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-41490?

Dagster, an orchestration platform for managing data assets, has a vulnerability in its handling of dynamic partition keys. In versions prior to 1.13.1 for Dagster Core and 0.29.1 for its libraries, the system allowed the construction of SQL WHERE clauses that lacked proper escaping. This flaw enables users with the Add Dynamic Partitions permission to inject arbitrary SQL code that would execute against the connected database using the I/O manager's credentials. Only instances utilizing dynamic partitions are at risk; those using static or time-window partitions remain unaffected. A resolution has been implemented in the latest versions.

Affected Version(s)

dagster dagster < 1.13.1 < dagster 1.13.1

dagster dagster-duckdb < 0.29.1 < dagster-duckdb 0.29.1

dagster dagster-snowflake < 0.29.1 < dagster-snowflake 0.29.1

References

https://github.com/dagster-io/dagster/security/advisories...

x_refsource_CONFIRM

https://github.com/dagster-io/dagster/releases/tag/1.13.1

x_refsource_MISC

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41490 Data

JSON

Dagster-io

What is CVE-2026-41490?

Affected Version(s)

References

CVSS V3.1

Timeline