Type-safe TypeScript SQL Query Builder Vulnerability in Kysely
CVE-2026-44635

7.5HIGH

Key Information:

Vendor: Kysely-org
Status: Kysely
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-44635?

The Kysely SQL query builder contains a flaw in DefaultQueryCompiler.visitJSONPathLeg, which fails to properly escape JSON-path metacharacters such as ., [, ], *, **, and ?. An attacker can exploit this by injecting controlled input into methods like eb.ref(col, '->$').key(input) or .at(input). This allows for unauthorized traversal of JSON sub-fields that should not be exposed, potentially leading to read and write access to sensitive data outside of the developer's intended scope, affecting databases like MySQL, PostgreSQL, and SQLite. The issue is resolved in version 0.28.17.

Affected Version(s)

kysely >= 0.26.0, < 0.28.17

References

https://github.com/kysely-org/kysely/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44635 Data

JSON

Kysely-org

What is CVE-2026-44635?

Affected Version(s)

References

CVSS V3.1

Timeline