Cyber Posture

CVE-2026-40887

Critical
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0538 90.2th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40887 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of the user-controlled languageCode parameter to prevent its unsafe interpolation into raw SQL expressions, as implemented in the provided hotfix.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of the SQL injection flaw through patching to parameterized queries, aligning with the official remediation in fixed versions.

SI-9 Information Input Restrictions partial match
prevent

Enforces restrictions on information inputs like languageCode to limit them to valid values, blocking injection payloads before they reach SQL queries.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

Unauthenticated SQL injection in public-facing Shop API enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary SQL execution for data extraction from databases (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a…

more

raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. Versions 2.3.4, 3.5.7, and 3.6.2 contain a patch. For those who are unable to upgrade immediately, Vendure has made a hotfix available that uses `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query. The hotfix replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.

Deeper analysisAI

CVE-2026-40887 is an unauthenticated SQL injection vulnerability in the Vendure Shop API, an open-source headless commerce platform. The issue arises from a user-controlled query string parameter, specifically the languageCode, being directly interpolated into a raw SQL expression without parameterization or validation. This affects Vendure versions starting from 1.7.4 and prior to 2.3.4, 3.5.7, and 3.6.2, impacting all supported database backends including PostgreSQL, MySQL/MariaDB, and SQLite. The Admin API is also vulnerable to SQL injection, but exploitation there requires authentication. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) and is associated with CWE-89.

Unauthenticated remote attackers can exploit the Shop API by supplying malicious payloads in the languageCode parameter, enabling arbitrary SQL execution against the backend database. This allows attackers to extract sensitive data (high confidentiality impact), potentially cause denial of service through data corruption or excessive resource consumption (high availability impact), though no direct integrity modification is scored. For the Admin API, authenticated users with sufficient privileges could achieve similar outcomes.

The official advisory recommends upgrading to Vendure versions 2.3.4, 3.5.7, or 3.6.2, which fix the issue by converting the vulnerable SQL interpolation to a parameterized query for defense in depth. For those unable to upgrade immediately, a hotfix is available that modifies the RequestContextService.getLanguageCode method in packages/core/src/service/helpers/request-context/request-context.service.ts to validate the languageCode input at the API boundary, silently dropping invalid values and falling back to the channel's default language. Details are available in the GitHub Security Advisory at https://github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v.

Details

CWE(s)
CWE-89

CVEs Like This One

CVE-2025-40639Shared CWE-89
CVE-2019-25674Shared CWE-89
CVE-2019-25526Shared CWE-89
CVE-2019-25524Shared CWE-89
CVE-2025-23780Shared CWE-89
CVE-2024-51818Shared CWE-89
CVE-2026-31891Shared CWE-89
CVE-2026-30951Shared CWE-89
CVE-2025-32303Shared CWE-89
CVE-2026-5100Shared CWE-89

References