Primary

Context

PowerSync Service Subquery Filter Bypass Vulnerability in Version 1.20.0

Vulnerability

A vulnerability in PowerSync Service version 1.20.0 allows authenticated users to sync restricted data when using new sync streams with config.edition: 3. Certain subquery filters were ignored, leading to unauthorized data synchronization. This issue affects queries that use subqueries to control synchronization without partitioning the data, while those that do partition data are not impacted.

Impact

Exploitation of this vulnerability could result in unauthorized data synchronization, allowing users to access information that should have been restricted based on the sync stream configuration.

Remediation

Users can update to PowerSync Service version 1.20.1 to address this vulnerability. For self-hosted PowerSync instances, updating to the latest version and restarting the service is recommended.

Added: Mar 10, 2026, 6:00 PM

Updated: Mar 10, 2026, 6:00 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PowerSync Service Subquery Filter Bypass Vulnerability in Version 1.20.0

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating