The /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() — a raw SQL literal expression builder — without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions.
An authenticated low-privilege user could:
- Extract data from any table via subquery: (SELECT group_concat(email) FROM user_account) as leak
- Disclose database internals: sqlite_version(), (SELECT sql FROM sqlite_master)
- Exfiltrate cross-table data via correlated subqueries
The vulnerability was confirmed locally; user_account.email values were extracted via a crafted column parameter by a non-admin user.
goqu.L(userInput) in server/resource/resource_aggregate.go inserted user-supplied query parameters directly into the SQL string with no validation.
All goqu.L() calls on user-controlled input were eliminated and replaced with:
- Structural expression parsing supporting all documented API forms
- Schema-based column validation (column names checked against entity schema via TableInfo().GetColumnByName())
- Exact-match allowlist for aggregate functions (count, sum, avg, min, max, first, last) and scalar functions (date, strftime, upper, lower, etc.)
- Safe goqu constructors (goqu.I(), goqu.SUM(), goqu.Func()) for all generated expressions
- allowedTables scope enforcement: qualified column refs (table.col) validated against root entity + explicitly joined tables only
Two additional DoS bugs were fixed in the same commit: uuid.MustParse panic on malformed UUID input and an index-out-of-range panic in ToOrderedExpressionArray on empty sort expressions.
Reported by @VashuVats.
| Score | Percentile |
|---|---|
| 0.05% | 14.09% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.3 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-rw2c-8rfq-gwfv ↗ |
| CVE | CVE-2026-41422 ↗ |
| CWE id | Name |
|---|---|
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/daptin/daptin | < 0.11.4 | 0.11.4 | — |