CVE-2026-42031
Published: 13 May 2026
Summary
CVE-2026-42031 is a high-severity SQL Injection (CWE-89) vulnerability in Okfn Ckan. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CKAN is an open-source data management system used for data hubs and portals. Prior to versions 2.10.10 and 2.11.5, a SQL injection flaw in the datastore_search_sql component (CWE-89) permitted unauthorized access to private resources and PostgreSQL system information. The issue carries a CVSS 4.0 score of 8.3 with network attack vector, low complexity, and no required privileges or user interaction.
Unauthenticated remote attackers can supply crafted SQL through the affected endpoint to read restricted data and database metadata. Exploitation requires only network reachability to a CKAN instance exposing the datastore_search_sql interface.
The referenced GitHub Security Advisory GHSA-h7j7-3rx6-xvcg confirms the vulnerability is resolved by upgrading to CKAN 2.10.10 or 2.11.5. The associated EPSS score has remained flat at 0.1378 with no material increase since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-30118
Vulnerability details
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system…
more
information This vulnerability is fixed in 2.10.10 and 2.11.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public CKAN datastore_search_sql endpoint directly enables T1190 exploitation of public-facing app and unauthorized DB data access (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted input to the datastore_search_sql endpoint, blocking the crafted SQL that enables unauthorized data access.
Mandates timely application of the CKAN 2.10.10/2.11.5 patches that remediate the SQL injection flaw in datastore_search_sql.
Enforces access restrictions on private resources and database metadata that the unauthenticated SQL injection was able to bypass.