The Query string search API (q=) was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings.
Fixed in v9.1.0. The Postgres query parser now uses parameterized queries with %(name)s placeholders passed to psycopg2's cursor.execute(), preventing SQL injection through the ?q= parameter. The MongoDB backend was not affected.
Upgrade to v9.1.0 or later. If unable to upgrade, deploy a proxy in front of the Alerta API to sanitize the q= parameter.
https://github.com/alerta/alerta/pull/712/files
https://owasp.org/www-community/attacks/SQL_Injection
| Score | Percentile |
|---|---|
| 0.02% | 3.69% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.9 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-8prr-286p-4w7j ↗ |
| CVE | CVE-2026-34400 ↗ |
| CWE id | Name |
|---|---|
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | alerta-server | < 9.1.0 | 9.1.0 | — |